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Preface 


We have offered a course at the University of Waterloo in quantum comput- 
ing since 1999. We have had students from a variety of backgrounds take the 
course, including students in mathematics, computer science, physics, and engi- 
neering. While there is an abundance of very good introductory papers, surveys 
and books, many of these are geared towards students already having a strong 
background in a particular area of physics or mathematics. 


With this in mind, we have designed this book for the following reader. The 
reader has an undergraduate education in some scientific field, and should par- 
ticularly have a solid background in linear algebra, including vector spaces and 
inner products. Prior familiarity with topics such as tensor products and spectral 
decomposition is not required, but may be helpful. We review all the necessary 
material, in any case. In some places we have not been able to avoid using notions 
from group theory. We clearly indicate this at the beginning of the relevant sec- 
tions, and have kept these sections self-contained so that they may be skipped by 
the reader unacquainted with group theory. We have attempted to give a gentle 
and digestible introduction of a difficult subject, while at the same time keeping 
it reasonably complete and technically detailed. 


We integrated exercises into the body of the text. Each exercise is designed to 
illustrate a particular concept, fill in the details of a calculation or proof, or to 
show how concepts in the text can be generalized or extended. To get the most 
out of the text, we encourage the student to attempt most of the exercises. 


We have avoided the temptation to include many of the interesting and im- 
portant advanced or peripheral topics, such as the mathematical formalism of 
quantum information theory and quantum cryptography. Our intent is not to 
provide a comprehensive reference book for the field, but rather to provide stu- 
dents and instructors of the subject with a reasonably brief, and very accessible 
introductory graduate or senior undergraduate textbook. 
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1 


INTRODUCTION 
AND BACKGROUND 


1.1 Overview 


A computer is a physical device that helps us process information by executing 
algorithms. An algorithm is a well-defined procedure, with finite description, 
for realizing an information-processing task. An information-processing task can 
always be translated into a physical task. 


When designing complex algorithms and protocols for various information- 
processing tasks, it is very helpful, perhaps essential, to work with some idealized 
computing model. However, when studying the true limitations of a computing 
device, especially for some practical reason, it is important not to forget the rela- 
tionship between computing and physics. Real computing devices are embodied 
in a larger and often richer physical reality than is represented by the idealized 
computing model. 


Quantum information processing is the result of using the physical reality that 
quantum theory tells us about for the purposes of performing tasks that were 
previously thought impossible or infeasible. Devices that perform quantum in- 
formation processing are known as quantum computers. In this book we examine 
how quantum computers can be used to solve certain problems more efficiently 
than can be done with classical computers, and also how this can be done reliably 
even when there is a possibility for errors to occur. 


In this first chapter we present some fundamental notions of computation theory 
and quantum physics that will form the basis for much of what follows. After 
this brief introduction, we will review the necessary tools from linear algebra in 
Chapter 2, and detail the framework of quantum mechanics, as relevant to our 
model of quantum computation, in Chapter 3. In the remainder of the book we 
examine quantum teleportation, quantum algorithms and quantum error correc- 
tion in detail. 
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1.2 Computers and the Strong Church—Turing Thesis 


We are often interested in the amount of resources used by a computer to solve a 
problem, and we refer to this as the complexity of the computation. An important 
resource for a computer is time. Another resource is space, which refers to the 
amount of memory used by the computer in performing the computation. We 
measure the amount of a resource used in a computation for solving a given 
problem as a function of the length of the input of an instance of that problem. 
For example, if the problem is to multiply two n bit numbers, a computer might 
solve this problem using up to 2n?+3 units of time (where the unit of time may be 
seconds, or the length of time required for the computer to perform a basic step). 


Of course, the exact amount of resources used by a computer executing an algo- 
rithm depends on the physical architecture of the computer. A different computer 
multiplying the same numbers mentioned above might use up to time 4n3+n+5 
to execute the same basic algorithm. This fact seems to present a problem if we 
are interested in studying the complexity of algorithms themselves, abstracted 
from the details of the machines that might be used to execute them. To avoid 
this problem we use a more coarse measure of complexity. One coarser measure 
is to consider only the highest-order terms in the expressions quantifying re- 
source requirements, and to ignore constant multiplicative factors. For example, 
consider the two computers mentioned above that run a searching algorithm in 
times 2n? + 3 and 4n® + n+ 7, respectively. The highest-order terms are n? and 
n°, respectively (suppressing the constant multiplicative factors 2 and 4, respec- 
tively). We say that the running time of that algorithm for those computers is 
in O(n?) and O(n3), respectively. 


We should note that O (f(n)) denotes an upper bound on the running time of the 
algorithm. For example, if a running time complexity is in O(n”) or in O(log n), 
then it is also in O(n3). In this way, expressing the resource requirements using 
the O notation gives a hierarchy of complexities. If we wish to describe lower 
bounds, then we use the (2 notation. 


It often is very convenient to go a step further and use an even more coarse de- 
scription of resources used. As we describe in Section 9.1, in theoretical computer 
science, an algorithm is considered to be efficient with respect to some resource if 
the amount of that resource used in the algorithm is in O(n*) for some k. In this 
case we say that the algorithm is polynomial with respect to the resource. If an 
algorithm’s running time is in O(n), we say that it is linear, and if the running 
time is in O(logn) we say that it is logarithmic. Since linear and logarithmic 
functions do not grow faster than polynomial functions, these algorithms are 
also efficient. Algorithms that use Q(c”) resources, for some constant c, are said 
to be exponential, and are considered not to be efficient. If the running time of 
an algorithm cannot be bounded above by any polynomial, we say its running 
time is superpolynomial. The term ‘exponential’ is often used loosely to mean 
superpolynomial. 
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One advantage of this coarse measure of complexity, which we will elaborate 
on, is that it appears to be robust against reasonable changes to the computing 
model and how resources are counted. For example, one cost that is often ignored 
when measuring the complexity of a computing model is the time it takes to 
move information around. For example, if the physical bits are arranged along 
a line, then to bring together two bits that are n-units apart will take time 
proportional to n (due to special relativity, if nothing else). Ignoring this cost 
is in general justifiable, since in modern computers, for an n of practical size, 
this transportation time is negligible. Furthermore, properly accounting for this 
time only changes the complexity by a linear factor (and thus does not affect the 
polynomial versus superpolynomial dichotomy). 


Computers are used so extensively to solve such a wide variety of problems, that 
questions of their power and efficiency are of enormous practical importance, 
aside from being of theoretical interest. At first glance, the goal of characterizing 
the problems that can be solved on a computer, and to quantify the efficiency 
with which problems can be solved, seems a daunting one. The range of sizes 
and architectures of modern computers encompasses devices as simple as a single 
programmable logic chip in a household appliance, and as complex as the enor- 
mously powerful supercomputers used by NASA. So it appears that we would be 
faced with addressing the questions of computability and efficiency for computers 
in each of a vast number of categories. 


The development of the mathematical theories of computability and compu- 
tational complexity theory has shown us, however, that the situation is much 
better. The Church—Turing Thesis says that a computing problem can be solved 
on any computer that we could hope to build, if and only if it can be solved on a 
very simple ‘machine’, named a Turing machine (after the mathematician Alan 
Turing who conceived it). It should be emphasized that the Turing ‘machine’ 
is a mathematical abstraction (and not a physical device). A Turing machine is 
a computing model consisting of a finite set of states, an infinite ‘tape’ which 
symbols from a finite alphabet can be written to and read from using a mov- 
ing head, and a transition function that specifies the next state in terms of the 
current state and symbol currently pointed to by the head. 


If we believe the Church—Turing Thesis, then a function is computable by a 
Turing machine if and only if it is computable by some realistic computing device. 
In fact, the technical term computable corresponds to what can be computed by 
a Turing machine. 


To understand the intuition behind the Church-Turing Thesis, consider some 
other computing device, A, which has some finite description, accepts input 
strings xz, and has access to an arbitrary amount of workspace. We can write 
a computer program for our universal Turing machine that will simulate the 
evolution of A on input x. One could either simulate the logical evolution of A 
(much like one computer operating system can simulate another), or even more 
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naively, given the complete physical description of the finite system A, and the 
laws of physics governing it, our universal Turing machine could alternatively 
simulate it at a physical level. 


The original Church—Turing Thesis says nothing about the efficiency of com- 
putation. When one computer simulates another, there is usually some sort of 
‘overhead’ cost associated with the simulation. For example, consider two types 
of computer, A and B. Suppose we want to write a program for A so that it 
simulates the behaviour of B. Suppose that in order to simulate a single step of 
the evolution of B, computer A requires 5 steps. Then a problem that is solved 
by B in time O(n?) is solved by A in time in 5-O(n3) = O(n). This simulation 
is efficient. Simulations of one computer by another can also involve a trade-off 
between resources of different kinds, such as time and space. As an example, con- 
sider computer A simulating another computer C’. Suppose that when computer 
C uses S units of space and T units of space, the simulation requires that A use 
up to O(ST2°) units of time. If C can solve a problem in time O(n?) using O(n) 
space, then A uses up to O(n°2”) time to simulate C. 


We say that a simulation of one computer by another is efficient if the ‘overhead’ 
in resources used by the simulation is polynomial (i.e. simulating an O(f(n)) 
algorithm uses O(f(n)*) resources for some fixed integer k). So in our above 
example, A can simulate B efficiently but not necessarily C (the running times 
listed are only upper bounds, so we do not know for sure if the exponential 
overhead is necessary). 


One alternative computing model that is more closely related to how one typi- 
cally describes algorithms and writes computer programs is the random access 
machine (RAM) model. A RAM machine can perform elementary computational 
operations including writing inputs into its memory (whose units are assumed to 
store integers), elementary arithmetic operations on values stored in its memory, 
and an operation conditioned on some value in memory. The classical algorithms 
we describe and analyse in this textbook implicitly are described in log-RAM 
model, where operations involving n-bit numbers take time n. 


In order to extend the Church—Turing Thesis to say something useful about the 
efficiency of computation, it is useful to generalize the definition of a Turing 
machine slightly. A probabilistic Turing machine is one capable of making a ran- 
dom binary choice at each step, where the state transition rules are expanded to 
account for these random bits. We can say that a probabilistic Turing machine is 
a Turing machine with a built-in ‘coin-flipper’. There are some important prob- 
lems that we know how to solve efficiently using a probabilistic Turing machine, 
but do not know how to solve efficiently using a conventional Turing machine 
(without a coin-flipper). An example of such a problem is that of finding square 
roots modulo a prime. 


It may seem strange that the addition of a source of randomness (the coin-flipper) 
could add power to a Turing machine. In fact, some results in computational 
complexity theory give reason to suspect that every problem (including the 
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“square root modulo a prime” problem above) for which probabilistic Turing 
machine can efficiently guess the correct answer with high probability, can 
be solved efficiently by a deterministic Turing machine. However, since we do 
not have proof of this equivalence between Turing machines and _ probabilis- 
tic Turing machines, and problems such as the square root modulo a prime 
problem above are evidence that a coin-flipper may offer additional power, we 
will state the following thesis in terms of probabilistic Turing machines. This 
thesis will be very important in motivating the importance of quantum com- 
puting. 


(Classical) Strong Church—Turing Thesis: A probabilistic Turing machine can 
efficiently simulate any realistic model of computation. 


Accepting the Strong Church—Turing Thesis allows us to discuss the notion of the 
intrinsic complexity of a problem, independent of the details of the computing 
model. 


The Strong Church—Turing Thesis has survived so many attempts to violate it 
that before the advent of quantum computing the thesis had come to be widely 
accepted. To understand its importance, consider again the problem of deter- 
mining the computational resources required to solve computational problems. 
In light of the strong Church—Turing Thesis, the problem is vastly simplified. 
It will suffice to restrict our investigations to the capabilities of a probabilistic 
Turing machine (or any equivalent model of computation, such as a modern per- 
sonal computer with access to an arbitrarily large amount of memory), since any 
realistic computing model will be roughly equivalent in power to it. You might 
wonder why the word ‘realistic’ appears in the statement of the strong Church— 
Turing Thesis. It is possible to describe special-purpose (classical) machines for 
solving certain problems in such a way that a probabilistic Turing machine sim- 
ulation may require an exponential overhead in time or space. At first glance, 
such proposals seem to challenge the strong Church—Turing Thesis. However, 
these machines invariably ‘cheat’ by not accounting for all the resources they 
use. While it seems that the special-purpose machine uses exponentially less 
time and space than a probabilistic Turing machine solving the problem, the 
special-purpose machine needs to perform some physical task that implicitly re- 
quires superpolynomial resources. The term realistic model of computation in 
the statement of the strong Church—Turing Thesis refers to a model of compu- 
tation which is consistent with the laws of physics and in which we explicitly 
account for all the physical resources used by that model. 


It is important to note that in order to actually implement a Turing machine 
or something equivalent it, one must find a way to deal with realistic errors. 
Error-correcting codes were developed early in the history of computation in 
order to deal with the faults inherent with any practical implementation of a 
computer. However, the error-correcting procedures are also not perfect, and 
could introduce additional errors themselves. Thus, the error correction needs to 
be done in a fault-tolerant way. Fortunately for classical computation, efficient 
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fault-tolerant error-correcting techniques have been found to deal with realistic 
error models. 


The fundamental problem with the classical strong Church—Turing Thesis is that 
it appears that classical physics is not powerful enough to efficiently simulate 
quantum physics. The basic principle is still believed to be true; however, we need 
a computing model capable of simulating arbitrary ‘realistic’ physical devices, 
including quantum devices. The answer may be a quantum version of the strong 
Church—Turing Thesis, where we replace the probabilistic Turing machine with 
some reasonable type of quantum computing model. We describe a quantum 
model of computing in Chapter 4 that is equivalent in power to what is known 
as a quantum Turing machine. 


Quantum Strong Church—Turing Thesis: A quantum Turing machine can effi- 
ciently simulate any realistic model of computation. 


1.3. The Circuit Model of Computation 


In Section 1.2, we discussed a prototypical computer (or model of computation) 
known as the probabilistic Turing machine. Another useful model of computa- 
tion is that of a uniform families of reversible circuits. (We will see in Section 1.5 
why we can restrict attention to reversible gates and circuits.) Circuits are net- 
works composed of wires that carry bit values to gates that perform elementary 
operations on the bits. The circuits we consider will all be acyclic, meaning that 
the bits move through the circuit in a linear fashion, and the wires never feed 
back to a prior location in the circuit. A circuit C, has n wires, and can be 
described by a circuit diagram similar to that shown in Figure 1.1 for n = 4. 
The input bits are written onto the wires entering the circuit from the left side 
of the diagram. At every time step ¢ each wire can enter at most one gate G. 
The output bits are read-off the wires leaving the circuit at the right side of the 
diagram. 


A circuit is an array or network of gates, which is the terminology often used 
in the quantum setting. The gates come from some finite family, and they take 


14 Gi O1 
19 G3 02 
. Go 

13 03 
14 G4 04 


Fig. 1.1 A circuit diagram. The horizontal lines represent ‘wires’ carrying the bits, 
and the blocks represent gates. Bits propagate through the circuit from left to right. 
The input bits 71,22,73,74 are written on the wires at the far left edge of the circuit, 
and the output bits 01, 02, 03,04 are read-off the far right edge of the circuit. 
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information from input wires and deliver information along some output wires. 
A family of circuits is a set of circuits {C,,|n € Z*}, one circuit for each input 
size n. The family is uniform if we can easily construct each C, (say by an 
appropriately resource-bounded Turing machine). The point of uniformity is so 
that one cannot ‘sneak’ computational power into the definitions of the circuits 
themselves. For the purposes of this textbook, it suffices that the circuits can 
be generated by a Turing machine (or an equivalent model, like the log-RAM) 
in time in O(n*|C,,|), for some non-negative constant k, where |C;,,| denotes the 
number of gates in Cy. 


An important notion is that of universality. It is convenient to show that a finite 
set of different gates is all we need to be able to construct a circuit for performing 
any computation we want. This is captured by the following definition. 


Definition 1.3.1 A set of gates is universal for classical computation if, for 
any positive integers n,m, and function f : {0,1}" — {0,1}™, a circuit can be 
constructed for computing f using only gates from that set. 


A well-known example of a set of gates that is universal for classical computa- 
tion is {NAND, FANOUT}.! If we restrict ourselves to reversible gates, we cannot 
achieve universality with only one- and two-bit gates. The Toffoli gate is a re- 
versible three-bit gate that has the effect of flipping the third bit, if and only 
if the first two bits are both in state 1 (and does nothing otherwise). The set 
consisting of just the Toffoli gate is universal for classical computation.” 


In Section 1.2, we extended the definition of the Turing machine and defined 
the probabilistic Turing machine. The probabilistic Turing machine is obtained 
by equipping the Turing machine with a ‘coin-flipper’ capable of generating a 
random binary value in a single time-step. (There are other equivalent ways of 
formally defining a probabilistic Turing machine.) We mentioned that it is an 
open question whether a probabilistic Turing machine is more powerful than a 
deterministic Turing machine; there are some problems that we do not know how 
to solve on a deterministic Turing machine but we know how to solve efficiently 
on a probabilistic Turing machine. We can define a model of probabilistic circuits 
similarly by allowing our circuits to use a ‘coin-flipping gate’, which is a gate that 
acts on a single bit, and outputs a random binary value for that bit (independent 
of the value of the input bit). 


When we considered Turing machines in Section 1.2, we saw that the complexity 
of a computation could be specified in terms of the amount of time or space the 
machine uses to complete the computation. For the circuit model of computation 
one natural measure of complexity is the number of gates used in the circuit Cy. 
Another is the depth of the circuit. If we visualize the circuit as being divided 


l1The NAND gate computes the negation of the logical AND function, and the FANOUT 
gate outputs two copies of a single input wire. 


?For the Toffoli gate to be universal we need the ability to add ancillary bits to the circuit 
that can be initialized to either 0 or 1 as required. 
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Fig. 1.2 A circuit of depth 5, space (width) 4, and having a total of 8 gates. 


into a sequence of discrete time-slices, where the application of a single gate 
requires a single time-slice, the depth of a circuit is its total number of time- 
slices. Note that this is not necessarily the same as the total number of gates in 
the circuit, since gates that act on disjoint bits can often be applied in parallel 
(e.g. a pair of gates could be applied to the bits on two different wires during 
the same time-slice). A third measure of complexity for a circuit is analogous to 
space for a Turing machine. This is the total number of bits, or ‘wires’ in the 
circuit, sometimes called the width or space of the circuit. These measures of 
circuit complexity are illustrated in Figure 1.2. 


1.4 A Linear Algebra Formulation of the Circuit Model 


In this section we formulate the circuit model of computation in terms of vec- 
tors and matrices. This is not a common approach taken for classical computer 
science, but it does make the transition to the standard formulation of quan- 
tum computers much more direct. It will also help distinguish the new notations 
used in quantum information from the new concepts. The ideas and terminology 
presented here will be generalized and recur throughout this book. 


Suppose you are given a description of a circuit (e.g. in a diagram like Figure 1.1), 
and a specification of some input bit values. If you were asked to predict the 
output of the circuit, the approach you would likely take would be to trace 
through the circuit from left to right, updating the values of the bits stored on 
each of the wires after each gate. In other words, you are following the ‘state’ of 
the bits on the wires as they progress through the circuit. For a given point in 
the circuit, we will often refer to the state of the bits on the wires at that point 
in the circuit simply as the ‘state of the computer’ at that point. 


The state associated with a given point in a deterministic (non-probabilistic) 
circuit can be specified by listing the values of the bits on each of the wires 
in the circuit. The ‘state’ of any particular wire at a given point in a circuit, 
of course, is just the value of the bit on that wire (0 or 1). For a probabilistic 
circuit, however, this simple description is not enough. 


Consider a single bit that is in state 0 with probability po and in state 1 with 
probability p,;. We can summarize this information by a 2-dimensional vector of 
probabilities 
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-) (1.4.1) 


Note that this description can also be used for deterministic circuits. A wire in 
a deterministic circuit whose state is 0 could be specified by the probabilities 
po = 1 and p; = 0, and the corresponding vector 


(5) (1.4.2) 


Similarly, a wire in state 1 could be represented by the probabilities pp = 0, 
p, = 1, and the vector 

0 

(7) : (1.4.3) 


Since we have chosen to represent the states of wires (and collections of wires) 
in a circuit by vectors, we would like to be able to represent gates in the circuit 
by operators that act on the state vectors appropriately. The operators are con- 
veniently described by matrices. Consider the logical NOT gate. We would like to 
define an operator (matrix) that behaves on state vectors in a manner consistent 
with the behaviour of the NOT gate. If we know a wire is in state 0 (so po = 1), 
the NOT gate maps it to state 1 (so p,; = 1), and vice versa. In terms of the 
vector representations of these states, we have 


or(\=(),  xor(J=(). aaa 


This implies that we can represent the NOT vector by the matrix 


NOT = 


: A . (1.4.5) 


To ‘apply’ the gate to a wire in a given state, we multiply the corresponding 
state vector on the left by the matrix representation of the gate: 


NOT i) = i 4 e) (1.4.6) 


Suppose we want to describe the state associated with a given point in a proba- 
bilistic circuit having two wires. Suppose the state of the first wire at the given 
point is 0 with probability po and 1 with probability p;. Suppose the state of the 
second wire at the given point is 0 with probability go and 1 with probability qq. 
The four possibilities for the combined state of both wires at the given point are 
{00,01,10,11} (where the binary string ij indicates that the first wire is in state 
i and the second wire in state j). The probabilities associated with each of these 
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four states are obtained by multiplying the corresponding probabilities for each 
of the four states: 


prob(i7) = pigq;- (1.4.7) 


This means that the combined state of both wires can be described by the 
4-dimensional vector of probabilities 


Podo 
a | (1.4.8) 
P1490 
P10 


As we will see in Section 2.6, this vector is the tensor product of the 2-dimensional 
vectors for the states of the first and second wires separately: 


Podo 


Pom | _ i.) @ & (1.4.9) 
P1490 Pi 1 


P10 


Tensor products (which will be defined more generally in Section 2.6) arise nat- 
urally when we consider probabilistic systems composed of two or more subsys- 
tems. 


We can also represent gates acting on more than one wire. For example, the 
controlled-NOT gate, denoted CNOT. This is a gate that acts on two bits, labelled 
the control bit and the target bit. The action of the gate is to apply the NOT 
operation to the target if the control bit is 0, and do nothing otherwise (the 
control bit is always unaffected by the CNOT gate). Equivalently, if the state of 
the control bit is c, and the target bit is in state t the CNOT gate maps the target 
bit to t @ c (where ‘@’ represents the logical exclusive-OR operation, or addition 
modulo 2). The CNOT gate is illustrated in Figure 1.3. 


The CNOT gate can be represented by the matrix 


1000 
— 10100 
CNOT= |) 99 1| - (1.4.10) 
0010 
c c 
Aaa 
t a, cet 


Fig. 1.3 The reversible CNOT gate flips the value of the target bit ¢ if and only if the 
control bit c has value 1. 
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Consider, for example, a pair of wires such that the first wire is in state 1 and 
the second in state 0. This means that the 4-dimensional vector describing the 
combined state of the pair of wires is 


0 
: (1.4.11) 
0 
Suppose we apply to the CNOT gate to this pair of wires, with the first wire as the 
control bit, and the second as the target bit. From the description of the CNOT 
gate, we expect the result should be that the control bit (first wire) remains in 


state 1, and the target bit (second wire) flips to state 1. That is, we expect the 
resulting state vector to be 


(1.4.12) 


ROS. 


We can check that the matrix defined above for CNOT does what we expect: 


0 1000] /0 0 
0 0100] | 0 0 

CNOT] 1 1 =loo01l 11] = lo (1.4.13) 
0 0010] \O 1 


It is also interesting to note that if the first bit is in the state 


Nle Dele 


and the second bit is in the state 


(3) 


then applying the CNOT will create the state 


NIR OCONIFR 


This state cannot be factorized into the tensor product of two independent prob- 
abilistic bits. The states of two such bits are correlated. 
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We have given a brief overview of the circuit model of computation, and presented 
a convenient formulation for it in terms of matrices and vectors. The circuit model 
and its formulation in terms of linear algebra will be generalized to describe 
quantum computers in Chapter 4. 


1.5 Reversible Computation 


The theory of quantum computing is related to a theory of reversible computing. 
A computation is reversible if it is always possible to uniquely recover the input, 
given the output. For example, the NOT operation is reversible, because if the 
output bit is 0, you know the input bit must have been 1, and vice versa. On 
the other hand, the AND operation is not reversible (see Figure 1.4). 


As we now describe, any (generally irreversible) computation can be transformed 
into a reversible computation. This is easy to see for the circuit model of compu- 
tation. Each gate in a finite family of gates can be made reversible by adding some 
additional input and output wires if necessary. For example, the AND gate can be 
made reversible by adding an additional input wire and two additional output 
wires (see Figure 1.5). Note that additional information necessary to reverse the 
operation is now kept and accounted for. Whereas in any physical implemen- 
tation of a logically irreversible computation, the information that would allow 
one to reverse it is somehow discarded or absorbed into the environment. 


x 


Fig. 1.4 The NoT and AND gates. Note that the NOT gate is reversible while the AND 
gate is not. 


tg | Xo 
1 ———\ AND -—— 2 
v2 ———— |L____ %o @ (ao A 21) 


Fig. 1.5 The reversible AND gate keeps a copy of the inputs and adds the AND of xo 
and x1 (denoted x1 A x2) to the value in the additional input bit. Note that by fixing 
the additional input bit to 0 and discarding the copies of the zp and x1 we can simulate 
the non-reversible AND gate. 
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Note that the reversible AND gate which is in fact the Toffoli gate defined in 
the previous section, is a generalization of the CNOT gate (the CNOT gate is 
reversible), where there are two bits controlling whether the NOT is applied to 
the third bit. 


By simply replacing all the irreversible components with their reversible coun- 
terparts, we get a reversible version of the circuit. If we start with the output, 
and run the circuit backwards (replacing each gate by its inverse), we obtain the 
input again. The reversible version might introduce some constant number of 
additional wires for each gate. Thus, if we have an irreversible circuit with depth 
T and space S, we can easily construct a reversible version that uses a total of 
O(S + ST) space and depth T. Furthermore, the additional ‘junk’ information 
generated by making each gate reversible can also be erased at the end of the 
computation by first copying the output, and then running the reversible circuit 
in reverse to obtain the starting state again. Of course, the copying has to be 
done in a reversible manner, which means that we cannot simply overwrite the 
value initially in the copy register. The reversible copying can be achieved by a 
sequence of CNOT gates, which xXOR the value being copied with the value ini- 
tially in the copy register. By setting the bits in the copy register initially to 0, 
we achieved the desired effect. This reversible scheme® for computing a function 
f is illustrated in Figure 1.6. 


Exercise 1.5.1 A sequence of n CNOT gates with the target bits all initialized to 0 is 
the simplest way to copy an n-bit string y stored in the control bits. However, more 
sophisticated copy operations are also possible, such as a circuit that treats a string 
y as the binary representation of the integer yi + 2y2 + 4y3 +-:-2" lyn and adds y 
modulo 2” to the copy register (modular arithmetic is defined in Section 7.3.2). 


Describe a reversible 4-bit circuit that adds modulo 4 the integer y € {0,1, 2,3} repre- 
sented in binary in the first two bits to the integer z represented in binary in the last 
two bits. 


If we suppress the ‘temporary’ registers that are 0 both before and after the 
computation, the reversible circuit effectively computes 


(21, £2, %3), (€1, C2,€3) +> (1, £2, £3), (C1 B Y1, C2 B Yo, C3 D Ys), (1.5.1) 


where f(21,22,23) = (y1,Y2,y3). In general, given an implementation (not 
necessarily reversible) of a function f, we can easily describe a reversible 
implementation of the form 


(x, ¢) > (2,¢@ f(2)) 


3In general, reversible circuits for computing a function f do not need to be of this form, 
and might require much fewer than twice the number of gates as a non-reversible circuit for 
implementing f. 
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v1 — Ty Ty 
Input L2 __| L r 
3 | L3 X3 
— YW @ =I] 0 
Output 0 __| es f Yo e C f 0 
0 — Y3 ® , 0 
Workspace 0— ni 0 
0 —4 Jo 0 
0 x Y1 
Copy 0 xX Y2 
0 xX Y3 


Fig. 1.6 A circuit for reversibly computing f(x). Start with the input. Compute f(x) 
using reversible logic, possibly generating some extra ‘junk’ bits 71 and jo. The block 
labelled Cy represents a circuit composed of reversible gates. Then copy the output 
y = f(«) to another register. Finally run the circuit for Cy backwards (replacing each 
gate by its inverse gate) to erase the contents of the output and workspace registers. 
Note we write the operation of the backwards circuit by O;". 


with modest overhead. There are more sophisticated techniques that can often be 
applied to achieve reversible circuits with different time and space bounds than 
described above. The approach we have described is intended to demonstrate that 
in principle we can always find some reversible circuit for any given computation. 


In classical computation, one could choose to be more environmentally friendly 
and uncompute redundant or junk information, and reuse the cleared-up memory 
for another computation. However, simply discarding the redundant information 
does not actually affect the outcome of the computation. In quantum computa- 
tion however, discarding information that is correlated to the bits you keep can 
drastically change the outcome of a computation. For this reason, the theory of 
reversible computation plays an important role in the development of quantum 
algorithms. In a manner very similar to the classical case, reversible quantum 
operations can efficiently simulate non-reversible quantum operations (and some- 
times vice versa) so we generally focus attention on reversible quantum gates. 
However, for the purposes of implementation or algorithm design, this is not al- 
ways necessary (e.g. one can cleverly configure special families of non-reversible 
gates to efficiently simulate reversible ones). 


Example 1.5.1 As pointed out in Section 1.3, the computing model corresponding 
to uniform families of acyclic reversible circuits can efficiently simulate any standard 
model of classical computation. This section shows how any function that we know how 
to efficiently compute on a classical computer has a uniform family of acyclic reversible 
circuits that implements the function reversibly as illustrated in Equation 1.5.1. 


Consider, for example, the arcsin function which maps [0,1] + [0,5] so that 
sin(arcsin(z)) = « for any x € [0,1]. Since one can efficiently compute n-bit 
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Beam splitter 


source 
Fig. 1.7 Experimental setup with one beam splitter. 


approximations of the arcsin function on a classical computer (e.g., using its Taylor 
expansion), then there is a uniform family of acyclic reversible circuits, ARCSINn m, 
of size polynomial in n and m, that implement the function arcsinn,m : {0,1}" 
{0,1}™” which approximately computes the arcsin function in the following way. If 
y = arcsiNn,m (x), then 


: x TY 1 
| arcsin (=) Porn| < Sm 
The reversible circuit effectively computes 
(x1, £2, ae} Ln); (c1, C2, C3, ie Cm) — (x1, 22, seg, In); (e1 D Yi, C2 © y2, sey Cm B ym) 


(1.5.2) 
where y = yiy2---Yn- 


1.6 A Preview of Quantum Physics 


Here we describe an experimental set-up that cannot be described in a natural 
way by classical physics, but has a simple quantum explanation. The point we 
wish to make through this example is that the description of the universe given 
by quantum mechanics differs in fundamental ways from the classical description. 
Further, the quantum description is often at odds with our intuition, which has 
evolved according to observations of macroscopic phenomena which are, to an 
extremely good approximation, classical. 


Suppose we have an experimental set-up consisting of a photon source, a beam 
splitter (which was once implemented using a half-silvered mirror), and a pair 
of photon detectors. The set-up is illustrated in Figure 1.7. 


Suppose we send a series of individual photons* along a path from the photon 
source towards the beam splitter. We observe the photon arriving at the detector 
on the right on the beam splitter half of the time, and arriving at the detector 
above the beam splitter half of the time, as illustrated in Figure 1.8. The simplest 
way to explain this behaviour in a theory of physics is to model the beam splitter 
as effectively flipping a fair coin, and choosing whether to transmit or reflect the 


4When we reduce the intensity of a light source we observe that it actualy comes out in 
discrete “chunks”, much like a faint beam of matter comes out one atom at a time. These 
discrete quanta of light are called “photons”. : 
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Fig. 1.8 Measurement statistics with one beam splitter. 


ae Full mirror 


Fig. 1.9 Setup with two beam splitters. 


photon based on the result of the coin-flip, whose outcome determines whether 
the photon is transmitted or reflected. 


Now consider a modification of the set-up, shown in Figure 1.9, involving a pair 
of beam splitters, and fully reflecting mirrors to direct the photons along either 
of two paths. The paths are labelled 0 and 1 in Figure 1.9. It is important to 
note that the length of paths 0 and 1 are equal, so the photons arrive at the 
same time, regardless of which path is taken. 


By treating the beam splitters as independently deciding at random whether to 
transmit or reflect incident photons, classical physics predicts that each of the 
detectors will register photons arriving 50 per cent of the time, on average. Here, 
however, the results of experiments reveal an entirely different behaviour. The 
photons are found arriving at only one of the detectors, 100 per cent of the time! 
This is shown in Figure 1.10. 


The result of the modified experiment is startling, because it does not agree 
with our classical intuition. Quantum physics models the experiment in a way 
that correctly predicts the observed outcomes. The non-intuitive behaviour 
results from features of quantum mechanics called superposition and 
interference. We will give a preview of the new framework introduced to explain 
this interference. 
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Fig. 1.10 Measurement statistics with two beam splitters. 
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Fig. 1.11 The ‘0’ path. 


Suppose for the moment that the second beam splitter were not present in the 
apparatus. Then the photon follows one of two paths (according to classical 
physics), depending on whether it is reflected or transmitted by the first beam 
splitter. If it is transmitted through the first beam splitter, the photon arrives at 
the top detector, and if it is reflected, the photon arrives at the detector on the 
right. We can consider a photon in the apparatus as a 2-state system, letting 
the presence of the photon in one path represent a ‘0’ and letting the presence of 
the photon in the other path represent a ‘1’. The ‘0’ and ‘1’ paths are illustrated 
in Figures 1.11 and 1.12, respectively. 


For reasons that will become clear later, we denote the state of a photon in path 


‘0’ by the vector 
oO) (1.6.1) 


and of a photon in path ‘1’ by the vector 


(7) (1.6.2) 


The photon leaving the source starts out in the ‘0’ path. In a classical descrip- 
tion, we model the beam splitter as randomly selecting whether the photon will 
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4 


Fig. 1.12 The ‘1’ path. 


continue along the ‘0’ path, or be reflected into the ‘1’ path. According to the 
quantum mechanical description, the beam splitter causes the photon to go into 
a superposition of taking both the ‘0’ and ‘1’ paths. Mathematically, we describe 
such a superposition by taking a linear combination of the state vectors for the 
‘0’ and ‘1’ paths, so the general path state will be described by a vector 


a9 6 + a4 (?) = & (1.6.3) 


If we were to physically measure the photon to see which path it is in, we will find 
it in path ‘0’ with probability |ag|?, and in path ‘1’ with probability |a,|?. Since 
we should find the photon in exactly one path, we must have |ao|? + |ay|? = 1. 


When the photon passes through the beam splitter, we multiply its ‘state vector’ 
by the matrix 
= E | (1.6.4) 
Ja lil: 6. 


So for the photon starting out in path ‘0’, after passing through the first beam 
splitter it comes out in state 


SEOs) om 
_ 5 (4) +s (7) . (1.6.6) 


This result corresponds with the observed behaviour that, after going through 


the first beam splitter, we would measure the photon in path ‘0’ with probability 


lz? = $, and in path ‘1’ with probability IZ? —— 


If we do not measure which path the photon is in, immediately after it passes 
through the first beam splitter, then its state remains 


a i (1.6.7) 
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Now if the photon is allowed to pass through the second beam splitter (before 
making any measurement of the photon’s path), its new state vector is 


Ca)GSE)-E os 


If we measure the path of the photon after the second beam splitter (e.g. by the 
detectors shown in Figure 1.9), we find it coming out in the ‘1’ path with prob- 
ability |i]? = 1. Thus after the second beam splitter the photon is entirely in the 
‘1’ path, which is what is observed in experiments (as illustrated in Figure 1.10). 
In the language of quantum mechanics, the second beam splitter has caused the 
two paths (in superposition) to interfere, resulting in cancelation of the ‘0’ path. 
We see many more examples of quantum interference throughout this text. 


It is not clear what it really ‘means’ for the photon to be in the state described 


by a vector like 
1/1 
V2 & ; (1.6.9) 


but this unusual mathematical infrastructure does allow us to explain how these 
surprising interference patterns work and to make reliable predictions about the 
outcomes of measurements. 


This new mathematical framework is called quantum mechanics, and we describe 
its postulates in more detail in Section 3. 


1.7 Quantum Physics and Computation 


We often think of information in terms of an abstract mathematical concept. To 
get into the theory of what information is, and how it is quantified, would easily 
take a whole course in itself. For now, we fall back on an intuitive understanding 
of the concept of information. Whatever information is, to be useful it must 
be stored in some physical medium and manipulated by some physical process. 
This implies that the laws of physics ultimately dictate the capabilities of any 
information-processing machine. So it is only reasonable to consider the laws of 
physics when we study the theory of information processing and in particular 
the theory of computation. 


Up until the turn of the twentieth century, the laws of physics were thought 
to be what we now call classical. Newton’s equations of motion and Maxwell’s 
equations of electromagnetism predicted experimentally observed phenomena 
with remarkable accuracy and precision. 


At the beginning of the last century, as scientists were examining phenomena 
on increasingly smaller scales, it was discovered that some experiments did not 
agree with the predictions of the classical laws of nature. These experiments 
involved observations of phenomena on the atomic scale, that had not been 
accessible in the days of Newton or Maxwell. The work of Planck, Bohr, de 
Broglie, Schrodinger, Heisenberg and others lead to the development of a new 
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theory of physics that came to be known as ‘quantum physics’. Newton’s and 
Maxwell’s laws were found to be an approximation to this more general theory of 
quantum physics. The classical approximation of quantum mechanics holds up 
very well on the macroscopic scale of objects like planets, airplanes, footballs, or 
even molecules. But on the ‘quantum scale’ of individual atoms, electrons, and 
photons, the classical approximation becomes very inaccurate, and the theory of 
quantum physics must be taken in to account. 


A probabilistic Turing machine (described in Section 1.2) is implicitly a clas- 
sical machine. We could build such a machine out of relatively large physical 
components, and all the aspects of its behaviour relevant to its performing a 
computation could be accurately predicted by the laws of classical physics. 


One of the important classes of tasks that computers are used for is to simulate 
the evolution of physical systems. When we attempt to use computers to simu- 
late systems whose behaviour is explicitly quantum mechanical, many physicists 
(including Richard Feynman) observed that we do not seem to be able to do so 
efficiently. Any attempt to simulate the evolution of a generic quantum—physical 
system on a probabilistic Turing machine seems to require an exponential over- 
head in resources. 


Feynman suggested that a computer could be designed to exploit the laws of 
quantum physics, that is, a computer whose evolution is explicitly quantum 
mechanical. In light of the above observation, it would seem that we would be 
unable to simulate such a computer with a probabilistic Turing machine. If we 
believe that such a quantum computer is ‘realistic’ then it seems to violate the 
strong Church—Turing Thesis! The first formal model of a quantum computer was 
given by David Deutsch, who proposed a model for a quantum Turing machine 
as well as the quantum circuit model. 


That it is possible to design a model of computation based explicitly on the 
principles of quantum mechanics is very interesting in itself. What is truly ex- 
traordinary is that important problems have been found that can be solved 
efficiently on a quantum computer, but no efficient solution is known on a prob- 
abilistic Turing machine! This implies that the theory of quantum computing 
is potentially of enormous practical importance, as well as of deep theoretical 
interest. 
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LINEAR ALGEBRA AND 
THE DIRAC NOTATION 


We assume the reader has a strong background in elementary linear algebra. In 
this section we familiarize the reader with the algebraic notation used in quantum 
mechanics, remind the reader of some basic facts about complex vector spaces, 
and introduce some notions that might not have been covered in an elementary 
linear algebra course. 


2.1. The Dirac Notation and Hilbert Spaces 


The linear algebra notation used in quantum computing will likely be familiar 
to the student of physics, but may be alien to a student of mathematics or 
computer science. It is the Dirac notation, which was invented by Paul Dirac 
and which is used often in quantum mechanics. In mathematics and physics 
textbooks, vectors are often distinguished from scalars by writing an arrow over 
the identifying symbol: e.g. d@. Sometimes boldface is used for this purpose: e.g. 
a. In the Dirac notation, the symbol identifying a vector is written inside a ‘ket’, 
and looks like |a). We denote the dual vector for a (defined later) with a ‘bra’, 
written as (a|. Then inner products will be written as ‘bra-kets’ (e.g. (a|b)). We 
now carefully review the definitions of the main algebraic objects of interest, 
using the Dirac notation. 


The vector spaces we consider will be over the complex numbers, and are finite- 
dimensional, which significantly simplifies the mathematics we need. Such vector 
spaces are members of a class of vector spaces called Hilbert spaces. Nothing 
substantial is gained at this point by defining rigorously what a Hilbert space is, 
but virtually all the quantum computing literature refers to a finite-dimensional 
complex vector space by the name ‘Hilbert space’, and so we will follow this 
convention. We will use 1 to denote such a space. 


Since H is finite-dimensional, we can choose a basis and alternatively represent 
vectors (kets) in this basis as finite column vectors, and represent operators with 
finite matrices. As you see in Section 3, the Hilbert spaces of interest for quantum 
computing will typically have dimension 2”, for some positive integer n. This is 
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because, as with classical information, we will construct larger state spaces by 
concatenating a string of smaller systems, usually of size two. 


We will often choose to fix a convenient basis and refer to it as the computational 
basis. In this basis, we will label the 2” basis vectors in the Dirac notation using 
the binary strings of length n: 


00.200)" §- (00.201) 5 eight). Meas. (2.1.1) 


n 


The standard way to associate column vectors corresponding to these basis vec- 
tors is as follows: 


oo Fe 
oie. © 


oo 
vc 


(an aoa an) 
oC eo 


, [ll...10) <> |], fal...d1) es J]. (2.1.2) 


ore 
Fyn see 


An arbitrary vector in H can be written either as a weighted sum of the basis 
vectors in the Dirac notation, or as a single column matrix. 


Example 2.1.1 In H of dimension 4, the vector 


2101) + $5111) = 1/20) @ |1) + Jl) @ (1) (2.1.3) 


in Dirac notation can be alternatively written as the column matrix 


0 
V2 

3], 214 
0 (2.1.4) 
Va 


It is important to realize that these are simply alternative expressions for the same 
vector, both with respect to the same basis (the computational basis). 
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You might wonder why one should go to the trouble of learning a strange-looking 
new notation for vectors, when we could just as well use a column vector rep- 
resentation. One answer is that writing vectors using the Dirac notation often 
saves space. Particularly when writing sparse vectors (having few non-zero com- 
ponents), the Dirac notation is very compact. An n-qubit basis state is described 
by a 2”-dimensional vector. In the Dirac notation, we represent this vector by a 
binary string of length n, but the column vector representation would have 2” 
components. For states on 2 or 3 qubits this is not terribly significant, but imag- 
ine writing an 8-qubit state using column vectors. The column vectors would 
have 2° = 256 components, which could be somewhat cumbersome to write out. 
The Dirac notation has other advantages, and these will begin to become ap- 
parent once you start working with things like operators, and various types of 
vector products. 


2.2 Dual Vectors 


Recall from linear algebra the definition of inner product. For the moment we 
will not use the Dirac notation, and write vectors in boldface. For vectors over 
the complex numbers, an inner product is a function which takes two vectors 
from the same space and evaluates to a single complex number. We write the 
inner product of vector v with w as (v,w). An inner product is such a function 
having the following properties. 


1. Linearity in the second argument 
(v, So Aiwi) = $0 Ailv, wi) (2.2.1) 


2. Conjugate-commutativity 
(v,w) = (w,v)* (2.2.2) 
3. Non-negativity 
(v,v) >0 (2.2.3) 
with equality if and only if v = 0. 


Note that in Equation (2.2.2), we use the notation c* to denote the complex 
conjugate! of a complex number c, as will be our convention throughout this 
book. 


A familiar example of an inner product is the dot product for column vectors. 
The dot product of v with w is written v - w and is defined as follows. 


U1 WI WI 
Vv w w ul 
. = (Uj Vg... Un = U; Wi toes 
; i=1 
Un Wn Wn 


lThe complex conjugate of c = a+ bi (where a and b are real) is c* = a — bi. 
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We now return to the Dirac notation, and define the dual vector space and dual 
vectors. 


Definition 2.2.1 Let H be a Hilbert space. The Hilbert space H* is defined as 
the set of linear maps H — C. 


We denote elements of H* by (x|, where the action of (| is: 


(xl: |b)  (xlb) € C, (2.2.5) 
where (x|w) is the inner-product of the vector |) € H with the vector |W) € H. 


The set of maps H* is a complex vector space itself, and is called the dual vector 
space associated with H. The vector (| is called the dual of |v). In terms of 
the matrix representation, (x| is obtained from |v) by taking the corresponding 
row matrix, and then taking the complex conjugate of every element (i.e. the 
‘Hermitean conjugate’ of the column matrix for |)). Then the inner product 
of |¢) with |y) is (|v), which in the matrix representation is computed as the 
single element of the matrix product of the row matrix representing (| with the 
column matrix representing |y). This is equivalent to taking the dot product of 
the column vector associated with |W) with the column vector associated with 


ly). 


Example 2.2.2 Using the standard basis we defined earlier, consider two vectors 


Ib) = lo) + 311) (2.2.6) 
and = _ 
lo) = of $lt0 + $1). (2.2.7) 


These are represented as column vectors 


0 0 

es 0 
V3 : vi (2.2.8) 
A 


respectively. The dot product of these two column vectors is 


0 0 


0 

a at i 0 

Vi) .1 a] -(0y80a)| V3 
a) 


=0-044/2-0+0-/24 s/3 
i 


- (2.2.9) 


TEAM LinG 


DUAL VECTORS 25 


and so the inner product of |) with |v) is 


—t 


(lp) = =. (2.2.10) 


S 


Two vectors are said to be orthogonal if their inner product is zero. The norm of 
a vector |w), denoted |||w)||, is the square root of the inner product of |) with 


itself. That is, 
|!) |] = Vly). (2.2.11) 


The quantity |||) || is called the Euclidean norm of |). A vector is called a unit 
vector if it has norm 1. A set of unit vectors that are mutually orthogonal is 
called an orthonormal set. 


The Kronecker delta function, 6;,;, is defined to be equal to 1 whenever i = J, 
and 0 otherwise. We use the Kronecker delta function in our definition of an 
orthonormal basis. 


Definition 2.2.3 Consider a Hilbert space H of dimension 2”. A set of 2” vec- 
tors B = {|bm)} CH is called an orthonormal basis for H if 


(bn |bm) =Onm Vom, bn € B (2.2.12) 


and every |) € H can be written as 


1b) = S> dnlbn), for some wy, € C. (2.2.13) 


bn€B 


The values of w,, satisfy Wp, = (by|W), and are called the ‘coefficients of |W) with 
respect to basis {|bn) }’. 


Example 2.2.4 Consider 1 of dimension 4. One example of an orthonormal basis for 
H is the computational basis which we saw earlier. The basis vectors are 


|00),|01),|10) and |11). (2.2.14) 


These basis vectors are represented by the following column vectors. 


(2.2.15) 


rFoOoOoo 


0 0 
1 0 
O};’ {1 
0 0 


ooor 


It is easy to check that the inner product of any two of these vectors is 0, and that the 
norm of each of these vectors is 1. In other words 
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(bn |bm) = Onjm (2.2.16) 


for b, and b,, from the set of 4 computational basis vectors above. 


Example 2.2.5 The inner product calculated using the matrix representation in Ex- 
ample 2.2.2 can also be calculated directly using the Dirac notation. We use the fact 
that the computational basis is an orthonormal basis (see Example 2.2.4). 


= (3011+ spn!) (310 + shy) 
“(v2 (F) Vow 


(oly 


we 


-(a) (VF) gunn (a) (v9) en 


Example 2.2.6 This time consider 1 of dimension 2. The computational basis is not 
the only orthonormal basis for H (there are infinitely many). An important example is 
the so-called Hadamard basis. We denote the basis vectors of the Hadamard basis as 
|+) and |—). We can express these basis vectors in terms of the familiar computational 
basis as follows. 


I+) = 45 (Io) + 11) 
|-) = 35 (10) — |). (2.2.17) 
It is easy to check the normality and orthogonality of these basis vectors by doing 


the computation with the column vector representation in terms of the computational 
basis. For example, 


(+1-) = §((0| + (1]) (10) — [1)) 

ee a 

=4(1)-(4) 

=0 (2.2.18) 

and 
III-+) I? = (414) 
= 5((0| + (1) (10) + |1)) 
Pty ft 
=4(7)-G) 
=1 
=> |||+)|| = 1. (2.2.19) 
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Note that if we express |y) = )7, a;|¢;) with respect to any orthonormal basis 
{|9i)}, then ||b)|] = 30; leal?. 


We state the following useful result, without proof. 


Theorem 2.2.7 The set {(b,,|} is an orthonormal basis for H* called the dual 
basis. 


2.3. Operators 
Recall from linear algebra the following definition. 


Definition 2.3.1 A linear operator on a vector space H is a linear transforma- 
tion T : H — H of the vector space to itself (i.e. it is a linear transformation 
which maps vectors in H to vectors in 1). 


Just as the inner product of two vectors |) and |y) is obtained by multiplying 
|) on the left by the dual vector (y|, an outer product is obtained by multiplying 
|) on the right by (y|. The meaning of such an outer product |w)(y| is that it 
is an operator which, when applied to |7), acts as follows. 


(lb) (el) ly) = Ib) ((el7)) 
= ((vl7)) |). (2.3.1) 


The outer product of a vector |w) with itself is written |~) (| and defines a linear 
operator that maps 


ID) lp) > lA) le) = Cle) |e). (2.3.2) 


That is, the operator |W)(w~| projects a vector |y) in H to the 1-dimensional 
subspace of H spanned by |W). Such an operator is called an orthogonal projector 
(Definition 2.3.7). You will see operators of this form when we examine density 
operators in Section 3.5, and measurements in Section 3.4. 


Theorem 2.3.2 Let B = {|b,)} be an orthonormal basis for a vector space H. 
Then every linear operator T on H can be written as 


bn bmEB 


where Thm = (bn|T|bm).- 


We know that the set of all linear operators on a vector space H forms a new 
complex vector space £(H) (‘vectors’ in £(H) are the linear operators on 7). 
Notice that Theorem 2.3.2 essentially constructs a basis for £(H) out of the 
given basis for H. The basis vectors for £(H) are all the possible outer products 
of pairs of basis vectors from B, that is {|bn)(bm|}. 
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The action of T is then 
T: |b) SY > Tamlbn) (bmi) = S> Trim (bml)[on)- (2.3.4) 


bn ,bmEB bn bmEB 
In terms of the matrix representation of T’, Tm is the matrix entry in the nth 


row and m*® column. 


Example 2.3.3 Consider the operator Z that maps the computational basis states as 
follows: 


|0) > |0) (2.3.5) 
|1)  —]1). (2.3.6) 

This operator can be written as 
10) (0] — |1)(2| (2.3.7) 


and has the following matrix representation with respect to the basis {|0),|1)}: 


E | (2.3.8) 


For any orthonormal basis B = {|b,,)}, the identity operator can be written as 
1= S© |bn)(bal- (2.3.9) 
bn €B 
Equation (2.3.9) is called the resolution of the identity in the basis B. 
Notice that, for an operator T on H, and |W) € H, the map 


7) > (y|(TIe)) (2.3.10) 


is a linear map from # to C, and thus belongs to *. Each map in 7(* corresponds 
to some vector (y’|. The adjoint of the operator T, denoted 7", is defined as the 
linear map that sends |g) ++ |y’), where (6|(Tl)) = (¢'W) for all |w). The 
adjoint is captured in the following definition. 


Definition 2.3.4 Suppose T is an operator on H. Then the adjoint of T, de- 
noted T", is defined as that linear operator on H* that satisfies 


((HIT* Py)” = (ITH) . Vib), 1p) € H. (2.3.11) 


In the standard matrix representation, the matrix for T! is the complex conju- 
gate transpose (also called the ‘Hermitean conjugate’, or ‘adjoint’) of the matrix 
for T. 
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The following definition is important, because (as we see in Section 3) it gives 
the class of operators which describe the time-evolution of the quantum states 
of closed systems. 


Definition 2.3.5 An operator U is called unitary if U' = U~!, where U~! is 
the inverse of U. 


Note that U' = U~! implies U'U = I, where I is the identity operator. The 
unitary operators preserve inner products between vectors, and in particular, 
preserve the norm of vectors. 


We also define a class of operators that describes the Hamiltonian of a system as 
well as the observables, which correspond to an important type of measurement 
in quantum mechanics (see Section 3.4). 


Definition 2.3.6 An operator T in a Hilbert space H is called Hermitean (or 
self-adjoint) if 
‘et (2.3.12) 


(i.e. it is equal to its own Hermitean conjugate). 


Definition 2.3.7 A projector on a vector space H is a linear operator P that 
satisfies P? = P. An orthogonal projector is a projector that also satisfies 
Pi Ps 


Recall the following definition from basic linear algebra. 


Definition 2.3.8 A vector |) is called an eigenvector of an operator T if 


Tp) = ely) (2.3.13) 


for some constant c. The constant c is called the eigenvalue of T corresponding 
to the eigenvector |1)). 


The following result is relevant to measurements in quantum mechanics. 


Theorem 2.3.9 If T = T" and if T\y) = A\w) then  € R. In other words, the 
eigenvalues of a Hermitean operator are real. 


In linear algebra one learns that the trace of a square matrix is obtained by 
adding the elements on the main diagonal. We give a more abstract definition of 
trace. 


Definition 2.3.10 The trace of an operator A acting on a Hilbert space H is 


Tr(A) = S°(bn|Albn) (2.3.14) 


bn 
where {|b,)} is any orthonormal basis for H. 
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Exercise 2.3.2 shows that indeed Tr(A) does not depend on the choice of ortho- 
normal basis, and thus is well defined. 


Exercise 2.3.1 Prove that the trace has the cyclic property Tr(ABC) = Tr(BCA). 


Exercise 2.3.2 Using the result of the previous exercise, together with the fact 
that a change of orthonormal basis can be written as a unitary operator, show that 
Tr(A) is independent of the basis in which it is expressed. Notice that in the 
matrix representation, Tr(A) equals the sum of the diagonal entries of the square matrix 
representing A. 


2.4 The Spectral Theorem 


The spectral theorem is a central result in linear algebra, because it is often very 
convenient to be able to specify a basis in which a given operator is diagonal 
(i.e. to diagonalize the operator). The spectral theorem applies to a wide class 
of operators which we now define. 


Definition 2.4.1 A normal operator A is a linear operator that satifies 


AAl = ATA, (2.4.1) 


Notice that both unitary and Hermitean operators are normal. So most of the 
operators that are important for quantum mechanics, and quantum computing, 
are normal. Since in this book we are only interested in Hilbert spaces having 
finite dimensions, we will only consider the spectral theorem in this special case 
(where it is slightly simpler). 


Theorem 2.4.2 (Spectral Theorem) For every normal operator T acting on a 
finite-dimensional Hilbert space H, there is an orthonormal basis of H consisting 
of eigenvectors |T;) of T. 


Note that T is diagonal in its own eigenbasis: T = }°, T;|T;)(Ti|, where T; are 
the eigenvalues corresponding to the eigenvectors |T;). We sometimes refer to 
T written in its own eigenbasis as the spectral decomposition of T. The set of 
eigenvalues of T is called the spectrum of T. 


The Spectral Theorem tells us that we can always diagonalize normal operators 
(in finite dimensions). Recall from linear algebra that the diagonalization can be 
accomplished by a change of basis (to the basis consisting of eigenvectors). The 
change of basis is accomplished by conjugating the operator T with a unitary 
operator P. With respect to the matrix representation for the operator T’, we 
can restate the Spectral Theorem in a form which may be more familiar. 
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Theorem 2.4.3 (Spectral Theorem) For every finite-dimensional normal ma- 
trix T, there is a unitary matrix P such that T = PAP', where A is a diagonal 
matrix. 


The diagonal entries of A are the eigenvalues of T, and the columns of P encode 
the eigenvectors of T. 


Example 2.4.4 Consider the operator X which acts as follows on the computational 
basis states. 


X|0) = |1) (2.4.2) 
X|1) = |0) (2.4.3) 


The matrix representation for this operator is 


cae E i (2.4.4) 


We have the following diagonalization of X. 


1 4 ibe, 2 
01 Ta va 1l0Ol||za zs 
fy-|% 4 E il E ad (2.4.5) 
v2 «V2 v2 V2 
So we have 
rile, 2h 
P=|v2 v2 (2.4.6) 
V2 V2 
and 
1 0 
A= E a ; (2.4.7) 
Thus the eigenvalues of X are 1 and —1, and the corresponding eigenvectors of X are 
LL 
v2 (2.4.8) 
V2 
and 
te 
v2 |. (2.4.9) 
~ V2 
In the Dirac notation, we have 
X = |0)(1| + |1)(0| (2.4.10) 
P=|+)(0|+|-)(1| (2.4.11) 
= 45 |0)(0| + 45l0)(1| + 4511) (0) — S52) (1 (2.4.12) 
A = |0){0| — |1)(1| (2.4.13) 
and the eigenvectors are 
+) = 310) + Spl) (2.4.14) 


TEAM LinG 


32 LINEAR ALGEBRA AND THE DIRAC NOTATION 


and 
|-) = 410) - 310). (2.4.15) 


Note that these eigenvectors are the basis vectors |+) and |—) of the Hadamard basis 
described in Example 2.2.6. 


2.5 Functions of Operators 


One of the reasons why the Spectral Theorem is important is that it allows us 
to simplify the expressions for functions of operators. By the Spectral Theorem, 
we can write every normal operator T in the diagonal form 


T= TIT) (TI. (2.5.1) 


First, note that since each |T;)(T;| is a projector, 
(IZ2)(Til)"" = [Ti (Tal (2.5.2) 
for any integer m. Also noting that the eigenvectors are orthonormal, we have 
(Ti|T5) = 4i,5, (2.5.3) 
where 6; is the Dirac delta function which equals 1 if 1 = j, and equals 0 
otherwise. 


So this means that computing a power of T (in diagonal form) is equivalent to 
computing the powers of the diagonal entries of T: 


(= nin) = TT): (2.5.4) 


uv 


The Taylor series for a function f : C — C, has the form 


fea So ae. (2.5.5) 


For example, the Taylor series for e*” is ‘ean aa”. The range of values of x for 


which the Taylor series converges is called the interval of convergence. For any 
point x in the interval of convergence, the Taylor series of a function f converges 
to the value of f(z). 


Using the Taylor series for a function f, we can define the action of f on operators 
over C (provided the relevant Taylor series converges). For example, we would 
define the exponential function so that, for an operator T’, we have 


1 mM 
a? =e (2.5.6) 
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In general, the Taylor series for any function f acting on an operator T’ will have 
the form 


JOSS at (2.5.7) 
If Tis written in diagonal form, then the expression simplifies: 


Oa > ar 


= Se ain (>: ni) 
= am STL) (EI 


= AMIDE. (2.5.8) 


So when T is written in diagonal form, f(T’) is computed by applying f separately 
to the diagonal entries of T’. In general, the procedure for computing a function 
f of an operator T is to first diagonalize T (the Spectral Theorem tells us we 
can do this for most of the operators that will be important to us), and then 
compute f individually on the diagonal entries. 


2.6 Tensor Products 


The tensor product is a way of combining spaces, vectors, or operators together. 
Suppose H, and 2 are Hilbert spaces of dimension n and m respectively. Then 
the tensor product space 7H, ® H2 is a new, larger Hilbert space of dimension 
nxm. Suppose {|bj) }ie41,....n} 18 an orthonormal basis for 1H, and {|c;) }jeq1 
is an orthonormal basis for 72. Then 


{|bi) ® les} }ieq1,....n},Je{1,..,m} (2.6.1) 


is an orthonormal basis for the space 71; ® H2. The tensor product of two vectors 
\~1) and |w2) from spaces H, and Ha, respectively, is a vector in Hy @ Ho, and is 
written |q1) ®|w2). The tensor product is characterized by the following axioms: 


jess my} 


1. For any c€ C, |w1) € Hy, and |wW2) € Ha, 
c(lh1) ® |W2)) = (elahr)) @ [Y2) = |v) ® (cl¥2)). (2.6.2) 
2. For any |W),|~1) € Hy, and |2) € He, 
(Ia1) + e1)) @ [b2) = |abr) @ [ab2) + e1) @ Ibo). (2.6.3) 
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3. For any |v) € Hy, and |wWe),|y2) € He, 
Ihr) @ (Ih2) + 12) = |eh1) @ |ba) + [1) ® |y2). (2.6.4) 


Suppose A and B are linear operators on H, and Hg respectively. Then A ®@ B 
is the linear operator on H, ® Hy» defined by 


This definition extends linearly over the elements of H, ® He: 


aj 


We have presented the tensor product using the Dirac notation. In the matrix 
representation, this translates as follows. Suppose A is an m x n matrix and Ba 
px q matrix, then the left Kronecker product of A with B is the mp x nq matrix 


ig Biss ct Lug Biyess cas Ail Pig ch AR 
WEB, 5 eel Be nach Bg ols Bi 
wetes. oe oie 
Ars BY ic lee Bike stn Ap Bie cea Be 
RB iN By ate Bn hes Be 


This matrix is sometimes written more compactly in ‘block form’ as 


Au[B] A[B] ... Ain[B] 
Aoi[B] Ao2[B] ... Aon[B] 
; sen ble, as (2.6.8) 


Ana(B] Ana B) -- Anal BI 


Here, [B] represents the p x q submatrix B. Then each block entry A;,;[B] above 
is the matrix [B] multiplied by the single entry in row i, column j, of matrix A. 


Ajj Buy Ajj Bie Wes Ajj Big 
Ajj Bay Aj; Boo eaok Aj; Bag 
Aj;[B] = ; ; : (2.6.9) 
B 


Aj; Bpi Aj; Boo 200A ‘Pq 


a 


The matrix representation for the tensor product of two vectors, or two operators, 
is the left Kronecker product of the matrix representation of the two vectors or 
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operators being ‘tensored’ together. For example, the matrix representation of 
(0/0) + a1|1)) ® (40/0) + G1)1)) is 


a0 Bo 


ag Bo\ _ | aor 
(2°) @ e) Sle. | (2.6.10) 
ait 


A final important word about notation. We often leave the @ symbol out of 
expressions, and thus |w) ® |v) is often written as just |7))|y~), or sometimes even 


be). 
2.7 The Schmidt Decomposition Theorem 


Here we present an important result for quantum information: the Schmidt de- 
composition theorem. We begin by stating the theorem, and then provide some 
examples illustrating it. Then we will describe an application of the theorem. 


Theorem 2.7.1 (Schmidt decomposition) If |y) is a vector in a tensor product 
space H4 ® Hp, then there exists an orthonormal basis {|p)} for H4, and an 
orthonormal basis {\p?)} for Hg, and non-negative real numbers {p;} so that 


|p) = dD veilen ler). (2.7.1) 


The coefficients \/p; are called Schmidt coefficients. To understand what this 
theorem is saying, suppose {|p#)} and {|y~?)} were chosen to be any arbitrary 
orthonormal bases for H4 and 7g respectively. Then, as we saw in Section 2.6, 
the basis states for the space Ha @ Hz are |p) ® |p?) (often written |y#)|y?)). 
The general vector |7)) in H4 ® Hg is then 


I~) = Doser dey) (2.7.2) 


where the coefficients aj; = eid Dig are in general complex numbers. Note 
that we have had to use different indices on the two sets of basis vectors to ac- 
count for all the ‘cross-terms’. If 714 has dimension m and Hg has dimension n, 
this general vector is a superposition of mn basis vectors. The Schmidt decom- 
position tells us that we can always find some pair of bases {|y#)} and {|y?)} 
such that all the ‘cross terms’ vanish, and the general vector simplifies to a sum 


over one set of indices 
It) = 0 veilet)|e?) (2.7.3) 


and the coefficients can be assumed to be real (since any phase factors can be 
absorbed into the definitions of the basis elements). The number of terms in this 
sum will be (at most) the minimum of m and n. 
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Example 2.7.2 As a trivial example of the Schmidt decomposition theorem, consider 
the following vector in a 4-dimensional Hilbert space Hs ®H~e where Ha and Hp each 
have dimension 2: 


|v) = |11). (2.7.4) 
This vector is already written in terms of Schmidt bases (for each of Ha and Hg the 
Schmidt basis is the computational basis). That is, 


{lvo) =|0), let) = 11}, (2.7.5) 


{lyo) =|0), ler) = |1)}. (2.7.6) 
The Schmidt coefficients are po = 0, pi = 1. 


Example 2.7.3 As a slightly less trivial example, consider the following state on the 
same 4-dimensional space Ha ® He as in the previous example: 


|e) = 3100) + 3101) + 3/10) + 3111). ee) 


In this example, the computational basis is not a Schmidt basis for either 74 or He. 
Notice that we can rewrite the vector as 


|v) = (Selo) + Zpl1)) (Sg10) + IW). (2.7.8) 

So we choose Schmidt bases to be 
{iet) = 4510) + 31), lett) = 4loy - 410}, (2.7.9) 
{e8) = 510) +511), Ie?) = 410) - 4511)} (2.7.10) 


and the Schmidt coefficients are po = 1, pi = 0. 


The Schmidt bases for the two parts of the composite space will not always be 
the same. Consider the following example. 


Example 2.7.4 


lv) = 22 |00) + 8 01) + 5x4 \10) + 254 ]11). (2.7.11) 


For this vector Schmidt bases are 


{Ivo) = F510) + Blt), lett) = Blo) - Jally} (2.7.12) 
{Ivo} = Jgl0) + Jel), IpP) = 3510) — 3511} (2.7.13) 


and the Schmidt coefficients are po = i, p= 3. 
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In all the above examples, the bipartite space was one in which each subspace 
had dimension 2. The Schmidt decomposition theorem can be applied to more 
complicated bipartite vector space, even in cases where the two subspaces have 
different dimensions. We will examine a method for computing Schmidt decom- 
positions in Section 3.5.2. 


2.8 Some Comments on the Dirac Notation 


Juggling bras and kets can be somewhat confusing if you are not familiar with 
working in the Dirac notation. Now we discuss a convention that potentially 
adds to this confusion. When we write tensor products of subsystems, we usu- 
ally identify which vectors correspond to which subsystems by the order in which 
the respective tensor factors appear. For example, if system 1 is in state |¢) and 
system 2 in state |j), we would write |2) ® |7), or more simply |2)|j), or even |ij). 
If we wanted to be completely unambiguous we could label the states with sub- 
scripts indexing the systems, and would write the above state as |7)1|j)2. When 
computing the conjugate transpose, following the standard matrix convention 
we would write 


Fetes Nat estes 
(lé)alj)2)° = (il Gle- (2.8.1) 
Physicists more commonly order this differently, and write 
Aste, Sah cope 
(lé)ild)2)) = (lola. (2.8.2) 


According to this convention, we can compute inner products in the following 
way (now omitting the subscripts): 


Gli). (2.8.3) 


Now we derive a useful identity involving tensor products of operators written 
in outer-product form. This is a useful exercise to gain practice and confidence 
in working with the Dirac notation. In what follows, we will not be using the 
convention described in Equation (2.8.2). 


Identity: 
(Ii) @ Li)) (| @ Q) - fe) @ nal. (2.8.4) 


In the above, we have written the ® symbol everywhere, for clarity. However, in 
practice we often leave this symbol out, and sometimes write the labels of the 
factors inside a single ket (or bra). So the above identity could be more concisely 
written 


|i9) (All = |é)(R] @ |g) (UI. (2.8.5) 
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QUBITS AND THE 
FRAMEWORK OF 
QUANTUM MECHANICS 


In this section we introduce the framework of quantum mechanics as it pertains 
to the types of systems we will consider for quantum computing. Here we also 
introduce the notion of a quantum bit or ‘qubit’, which is a fundamental concept 
for quantum computing. 


At the beginning of the twentieth century, it was believed by most that the laws 
of Newton and Maxwell were the correct laws of physics. By the 1930s, however, 
it had become apparent that these classical theories faced serious problems in 
trying to account for the observed results of certain experiments. As a result, a 
new mathematical framework for physics called quantum mechanics was formu- 
lated, and new theories of physics called quantum physics were developed in this 
framework. Quantum physics includes the physical theories of quantum electro- 
dynamics and quantum field theory, but we do not need to know these physical 
theories in order to learn about quantum information. Quantum information is 
the result of reformulating information theory in this quantum framework.! 


3.1 The State of a Quantum System 


We saw in Section 1.6 an example of a two-state quantum system: a photon that 
is constrained to follow one of two distinguishable paths. We identified the two 
distinguishable paths with the 2-dimensional basis vectors 


6 and (?) (3.1.1) 


and then noted that a general ‘path state’ of the photon can be described by a 
complex vector 
ao 
(2) an 


lit is worth noting that the term quantum mechanics is also often used to refer to that part 
of quantum physics that deals with a special limit of quantum field theory. 


38 ; 
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with |ao|? +|a1|? = 1. This simple example captures the essence of the first pos- 
tulate, which tells us how physical states are represented in quantum mechanics. 


State Space Postulate 


The state of a system is described by a unit vector in a Hilbert space 1. 


Depending on the degree of freedom (i.e. the type of state) of the system being 
considered, 7{ may be infinite-dimensional. For example, if the state refers to the 
position of a particle that is free to occupy any point in some region of space, the 
associated Hilbert space is usually taken to be a continuous (and thus infinite- 
dimensional) space. It is worth noting that in practice, with finite resources, 
we cannot distinguish a continuous state space from one with a discrete state 
space having a sufficiently small minimum spacing between adjacent locations. 
For describing realistic models of quantum computation, we will typically only 
be interested in degrees of freedom for which the state is described by a vector in 
a finite-dimensional (complex) Hilbert space.” In particular, we will primarily be 
interested in composite systems composed of individual two-level systems. The 
state of each two-level system is described by a vector in a 2-dimensional Hilbert 
space. We can encode a qubit in such a two-level system. We would choose a 
basis for the corresponding 2-dimensional space. We would label one of the basis 
vectors with |0) and the other basis vector with |1). This is analogous to what 
is done for classical computation. For a classical computer, the two-level system 
may be the voltage level on a wire, which could be zero, or some positive value 
(say +5mV). We might encode a classical bit in such a system by assigning 
the binary value ‘0’ to the state in which the voltage on the wire is 0, and the 
value ‘1’ to the state in which the voltage on the wire is + 5mV. The {|0),|1)} 
basis for the state of a qubit is commonly referred to as the computational 
basis. 

A quantum mechanical two-level system might be a single photon that can be 
found in one of two distinct paths, as we saw in the introduction. Another ex- 
ample of a quantum two-level system is the presence or absence of a photon in 
a particular location or path. 


The state of this system is described by a vector in a 2-dimensional Hilbert space. 
A convenient basis for this space consists of a unit vector for the state in which 
a photon is not present, and an orthogonal unit vector for the state in which a 
photon is present. We can label these states with |0) and |1), respectively. Then 
the general state of the system is expressed by the vector 


ag|0) + a|1) (3.1.3) 


where ap and qa, are complex coefficients, often called the amplitudes of the 
basis states |0) and |1), respectively. Note that a complex amplitude a can be 


? However, it is common to use infinite dimensional state spaces to model the physical systems 
used to implement quantum (as well as classical) information processing. 
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decomposed unique as a product e’’|a| where |a| is the non-negative real number 


corresponding to the magnitude of a, and e’”? = Tal has norm 1. The value @ is 
i0 


known as the ‘phase’, and we refer to the value e”” as a ‘phase factor’. 


The condition that the state is described by a unit vector means that |ao|? + 
|a1|? = 1. This condition is sometimes called the normalization constraint, and 
it is necessary for consistency with the way quantum measurements behave, as 
we will see in the Measurement Postulate. The general state of the system is a 
superposition of a photon being present, and a photon not being present. 


Another example of a two-level quantum mechanical system is the spin state 
of certain types of particles. According to quantum physics, particles have a 
degree of freedom called spin, which does not exist in a classical description. 
Many particles fall into the category of so-called spin-% particles. For these, the 
spin state is indeed described by a vector in a 2-dimensional Hilbert space 7. 
A convenient basis for this space consists of a unit vector for the ‘spin-up’ state 
of the particle, and an orthogonal unit vector for the ‘spin-down’ state of the 
particle. We can label these basis vectors by |0) and |1), respectively. The general 
spin state of a spin-3 particle is a superposition of spin-up and spin-down. 


As another example of a physical system whose state can be described by a vector 
in a 2-dimensional Hilbert space, consider an electron orbiting a nucleus. Suppose 
we choose energy as the degree of freedom of interest. There is a theoretically 
infinite number of possible energy levels for the electron, and so the Hilbert space 
would have infinite dimension. From quantum mechanics we know that these 
energy levels are quantized. That is, instead of a continuous range of possible 
energies, the electron is restricted to have energies from a discrete set. It is 
possible to have such a system for which the electron can easily be found in the 
ground state (lowest energy level), or the first excited state, but the amount of 
energy required to excite the system to higher energy levels is so high we are 
almost certain never to find energy levels higher than the first two. In such cases 
we can choose to ignore the subspace spanned by all energies higher than the first 
excited state, and for all practical purposes we have a two-level system described 
by a 2-dimensional vector in the space spanned by the lowest two energy levels. 


An important point about state vectors is the following. The state described by 
the vector e’? |) is equivalent to the state described by the vector |q), where e’” 
is any complex number of unit norm. For example, the state 


|0) + |1) (3.1.4) 
is equivalent to the state described by the vector 
e710) + e|1). (3.1.5) 


On the other hand, relative phase factors between two orthogonal states in 
superposition are physically significant, and the state described by the vector 


0) + |1) (3.1.6) 
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is physically different from the state described by the vector 
|0) + e%|1). (3.1.7) 


Technically we could describe quantum states by equivalence classes of unit vec- 
tors, but we will simply specify a unit vector, with the understanding that any 
two vectors that are related by a global phase are equivalent. We will moti- 
vate the fact that |) and e’®|%) are equivalent after we have introduced the 
Measurement Postulate. 


So the State Space Postulate, together with the observation of the previous 
paragraph, tells us that we can describe the most general state |W) of a single 
qubit by a vector of the form 


|) = cos ($) |0) + e’? sin (4) |1) (3.1.8) 


(we take g instead of just @ to be consistent with the angle 6 appearing in 
Figure 3.3, which will be discussed shortly). Consider the analogous situation 
for a deterministic classical bit. The state of a classical bit can be described by 
a single binary value w, which can be equal to either 0 or 1. This description 
could be expressed in terms of the diagram shown in Figure 3.1. In this figure, 
the state can be indicated by a point in one of two positions, indicated by the 
two points labelled 0 and 1. 


Next consider the slightly more complicated situation of a classical bit whose 
value is not known exactly, but is known to be either 0 or 1 with corresponding 
probabilities po and p;. We might call this a probabilistic classical bit. The state 
of such a probabilistic bit is described by the probabilities pp and p,, which 
satisfy po + pi = 1 (reflecting the fact that we know the bit has to be either 
0 or 1). As we saw in Section 1.4, we can represent these two probabilities by 
the 2-dimensional unit vector 

Po 

>) (3.1.9) 


whose entries are restricted to be real and non-negative. This description could 
be expressed in terms of the diagram shown in Figure 3.2. In this figure, the 


0 


Fig. 3.1 The state of a deterministic classical bit can be represented as one of two 
points, labelled ‘0’ and ‘1’. 
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Pi 


Po 


1 


Fig. 3.2 A probabilistic classical bit. Here the probabilities po and pi of the bit being 
0 and 1, respectively, are represented by the position of a point on the line segment 
between the points representing 0 and 1. 


state could be drawn as a point on the line between the positions 0 and 1. We 
suppose this line has unit length, and the position of the point on the line is 
determined by the probabilities po and pj. 


Note that with only one copy of such a probabilistic bit, we cannot determine po 
and p, exactly. If we are given a means to obtain several independent copies of 
the probabilistic bit (where each copy independently outputs 0 with probability 
po and 1 with probability p,), then we could accumulate statistics about the 
values po and p;. Otherwise, we cannot in general ‘clone’ this bit and get two or 
more independent copies that would allow us to obtain arbitrarily good estimates 
of po and pj. 


Now return to the state of a quantum bit, which is described by a complex unit 
vector |v) in a 2-dimensional Hilbert space. Up to a (physically insignificant) 
global phase factor, such a vector can always be written in the form 


|b) = cos (8) |0) + e’” sin ($) |1). (3.1.10) 


Such a state vector is often depicted as a point on the surface of a 3-dimensional 
sphere, known as the Bloch sphere, as shown in Figure 3.3. Two real parameters 0 
and y are sufficient to describe a state vector, since state vectors are constrained 
to have norm 1 and are equivalent up to global phase. Points on the surface of 
the Bloch sphere can also be expressed in Cartesian coordinates as 


(x,y, Z) = (sin @ cos y, sin 6 sin y, cos 8). (3.1.11) 


We will also explain the meaning of points within the Bloch sphere when we 
consider density matrices in Section 3.5. 


Figure 3.4 summarizes the graphical representations of the states of a classical 
bit, a probabilistic classical bit, and a quantum bit. 
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Fig. 3.4 States of deterministic classical, probabilistic classical, and quantum bits. 


3.2 Time-Evolution of a Closed System 


A physical system changes in time, and so the state vector |y) of a system 
will actually be a function of time, |W(¢)). Quantum theory postulates that the 
evolution of the state vector of a closed quantum system is linear. In other words, 
if we know that some fixed transformation, let us call it U, maps |w;) to U|y,;) 
then 


For example, as we saw in the introduction, if |0) evolves to 950) + all), and 
|1) evolves to 3510) + yall), then ao|0) + a4|1) evolves to 


ao (J510) + Jglt)) + a1 (510) + Jgld)) (3.2.2) 
_ ag + 104 tag + ay 
= ge ee (3.2.3) 
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As we have mentioned briefly already, and will elaborate on in Section 3.4, the 
coefficients a; of a state vector satisfy 57; |a;|? = 1. The only linear operators 
that preserve such norms of vectors are the unitary operators (see Section 2.3). 
This brings us to the Evolution Postulate. 


Evolution Postulate 


The time-evolution of the state of a closed quantum system is described by a 
unitary operator. That is, for any evolution of the closed system there exists 
a unitary operator U such that if the initial state of the system is |W), then 
after the evolution the state of the system will be 


|b2) = U|y1). (3.2.4) 


In quantum computing, we refer to a unitary operator U acting on a single-qubit 
as a I-qubit (unitary) gate. We can represent operators on the 2-dimensional 
Hilbert space of a single qubit as 2 x 2 matrices. A linear operator is specified 
completely by its action on a basis. For example, consider the quantum NOT gate 
which is a unitary operator mapping |0) to |1), and mapping |1) to |0). Being a 
linear operator, it will map a linear combination of inputs to the corresponding 
linear combination of outputs, and so the NOT gate maps the general state 


ag|0) + a|1) (3.2.5) 


to the state 
ao|1) + ay |0). (3.2.6) 


Recall that the basis vectors have a representation as column matrices. In terms 
of this matrix representation, the action of the NOT gate on the basis vectors is 


= QQ): OG an 


From this information, we can construct the matrix for the NOT gate (in the 
computational basis): 


01 
? i : (3.2.8) 
The gate acts on the state of a qubit by matrix multiplication from the left: 


Not|0) = fi 1 @ = (?) = 1). (3.2.9) 


The NOT gate is often identified with the symbol X, and is one of the four Pauli 


gates: 
—7—|19 ree ae oe 
09 = =|01 nsmnexe|t 
02 == =|; a nao.aZ=|, we (3.2.10) 


TEAM LinG 


COMPOSITE SYSTEMS 45 


As we will see in Chapter 4, the Pauli gates X,Y, and Z correspond to rotations 
about the x-, y- and z-axes of the Bloch sphere, respectively. One reason why 
the Pauli gates are important for quantum computing is that they span the 
vector space formed by all 1-qubit operators. In particular, this means that any 
1-qubit unitary operator can be expressed as a linear combination of the Pauli 
gates. 


It is worth noting that the unitarity of quantum evolution implies reversibility. 
This reversibility is a consequence of restricting attention to closed systems. We 
saw in Section 1.5 that any irreversible classical computation can be efficiently 
simulated by a reversible classical computation. The same holds for quantum 
computation (this is described in more detail in Section 3.5.3). 


In a typical first course in quantum physics, one learns that the continuous time- 
evolution of a closed quantum mechanical system (ignoring special relativity) 
follows the Schrédinger equation 

dp(t)) 


in = H(e)|H(O)) (3.2.11) 


where fi is a physical constant known as Planck’s constant and H(t) is a Hermitean 
operator known as the Hamiltonian of the system. The Hamiltonian is an oper- 
ator which represents the total energy function for the system. It may in general 
be a function of time, but for convenience, let us consider Hamiltonians that are 
constant. In this case the solution to the Schrodinger equation for fixed times ¢1 
and to is 

[(t2)) = eNO) h(t). (3.2.12) 


Exercise 3.2.1 Show that (3.2.12) is a solution of the time-independent Schrédinger 
equation. 


For Hermitean operators H, the operator e~*#('2—t1) is a unitary operator. So 
for the case of (non-relativistic and continuous time) constant Hamiltonians, 
one can easily show that the Evolution Postulate follows from the Schrodinger 


equation. 


3.3 Composite Systems 


So far we have discussed the postulates for the case of a single system only, 
in particular a qubit. If all we ever needed to know was how isolated qubits 
behave when they are never allowed to interact with each other, then this would 
be sufficient. If we want to study potentially useful quantum computations we 
will need to understand how quantum mechanics works for systems composed of 
several qubits interacting with each other. That is, we would like to know how 
to describe the state of a closed system of n qubits, how such a state evolves 
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in time, and what happens when we measure it. Treating a larger system as a 
composition of subsystems (of bounded size) allows for an exponentially more 
efficient description of operations acting on a small number of subsystems. 


The way we represent composite quantum systems is in fact analogous to the way 
we treated composite classical probabilistic systems in Section 1.4. This brings 
us to our third postulate. 


Composition of Systems Postulate 


When two physical systems are treated as one combined system, the state 
space of the combined physical system is the tensor product space 1; ® H2 of 
the state spaces H 1,72 of the component subsystems. If the first system is in 
the state |w) and the second system in the state |72), then the state of the 
combined system is 


|1) ® |). (3.3.1) 


As mentioned in Section 2.6, we often omit the ‘@’ symbol and write the joint 
state like |y1)|wW2), or sometimes even more compactly as | We). 


One can apply the Composition of Systems Postulate inductively to show that 
the state space of system composed of n distinct subsystems is the tensor product 
space of the state spaces of the n subsystems. For convenience, we will consider 
the subsystems to be of dimension 2, but it is straightforward to generalize to 
larger dimensional subsystems. 


It is important to note that the state of a 2-qubit composite system cannot 
always be written in the product form |7y1) ® |2). If the 2 qubits are prepared 
independently, and kept isolated, then each qubit forms a closed system, and the 
state can be written in the product form. However, if the qubits are allowed to 
interact, then the closed system includes both qubits together, and it may not 
be possible to write the state in the product form. When this is the case, we 
say that the qubits are entangled. From an algebraic point of view, the state 
of the composite system is a vector in the 4-dimensional tensor-product space 
of the 2 constituent qubits. The 4-dimensional state vectors that are formed by 
taking the tensor product of two 2-dimension state vectors form a sparse subset 
of all the 4-dimensional state vectors. In this sense, ‘most’ 2-qubit states are 
entangled. 


Exercise 3.3.1 Consider the 2-qubit state 
|) = 25]0)]0) + 4511)|1). (3.3.2) 


Show that this state is entangled by proving that there are no possible values ao, @1, (Jo, 
(1 such that 


IW) = (a0|0) + a1|1)) (Go10) + 6111)). (3.3.3) 
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(Note, the state |) above is called an EPR pair, named for Einstein, Podolsky, and 
Rosen, who considered such states in their investigations of quantum mechanics.) 


Suppose we have a 2-qubit composite system, and we apply the NOT gate X 
to the first qubit. We implicitly apply the identity operator I to the second 
qubit at the same time. Thus the 2-qubit input |) ® |w2) gets mapped to 
X |) @I|\W2) = (X @1)(|\v1) ® |t2)). That is, the linear operator describing this 
operation on the composite system is 


X@l (3.3.4) 
which has the matrix representation 
0010 
bo] ® [oa] = aa (3.3.5) 
0100 


Although it acts on the composite 2-qubit system, since it acts non-trivially on 
only one of the qubits, a gate such as this one is really a 1-qubit gate. 


If our system was the composition of n qubits, then applying the X gate to the 
first qubit corresponds to applying the operation X @1@I@®---@TI (with I 
repeated n — 1 times) to the entire system. Note that if we ignore the subsystem 
structure and just treat the n-qubit system as a 2”-dimensional system, we would 
need a 2” x 2” dimensional matrix to describe this simple operation. 


Just as there are 2-qubit states that cannot be written as the product of two 
1-qubit states, there are 2-qubit gates (acting non-trivially on both qubits) that 
cannot be written as a tensor product of two 1-qubit gates. An important exam- 
ple is the quantum controlled-NOT, or CNOT gate (recall the classical version of 
this gate defined in Section 1.4). In terms of its action on the basis states of the 
2-qubit system, the CNOT gate behaves as follows: 


100) ++ |00), |01)++ 01), |10)+ J11),  |11) © |10). (3.3.6) 


(recall |00) = |0) @|0)). In the computational basis, the CNOT gate flips the state 
of the second qubit if the first qubit is in state |1), and does nothing otherwise. 
As with all unitary operators, the CNOT gate acts linearly over superpositions. 
The matrix representation for the CNOT gate is 


1000 
0100 
0001 
0010 


(3.3.7) 
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Recall in Section 1.4, we saw that the tensor product is the mathematical tool 
to get a single description for a composite system composed of two or more sub- 
systems. The Composition of Systems Postulate tells us that the same approach 
can be used to describe composite quantum mechanical systems. 


3.4 Measurement 


We have seen how the state of a single-qubit system is represented in quan- 
tum mechanics as a vector in a Hilbert space, and we have seen how such a 
state evolves according to a unitary operator. Notice that the Evolution Postu- 
late assumes that the quantum system is closed, meaning that it is not allowed 
to interact with its environment. Ultimately we will be interested in measur- 
ing some properties of a system, and so at some point we must allow the sys- 
tem to interact with the measurement apparatus of some observer. When this 
happens the original system is no longer closed, and the Evolution Postulate 
is no longer appropriate for describing its evolution. It is possible to combine 
the system and any other part of the environment interacting with the sys- 
tem, including the measurement apparatus, into a larger closed quantum sys- 
tem. Such a fully quantum treatment of the interaction between observer and 
system would take us into controversial territory and distract from the main 
point of this text. It is convenient, conventional, and sufficient to introduce 
a measurement postulate and rely on more familiar notions of classical prob- 
ability theory. The evolution of the state of a system during a measurement 
process is not unitary, and we add this additional postulate to describe such 
processes. 


Suppose we have a system with N distinguishable states |0),|1),...,|N — 1), 
and some apparatus that will reliably distinguish these N states. Without loss 
of generality, let us say the apparatus will output the (classical) label ‘2’ to- 
gether with the observed state |i) when |) is provided as input. In other words, 
the measurement apparatus provides a classical description of the measurement 
outcome (which we simply denote as i where we indexed the possible measure- 
ment outcomes using the indices 7; the values 7 do not need to be integers), along 
with some quantum state. Traditionally, the classical description or label is often 
described as a needle pointing to some value on a dial. But if we assume only 
finite resolution we can just as well assume a digital display with sufficiently 
many digits. 


Quantum mechanics tells us that if the state }°,a;|¢) is provided as input to 
this apparatus, it will output label i with probability |a;|? and leave the system 
in state |i). This is the essence of the Measurement Postulate. However, we will 
state a slightly more general version that can be derived from the above simple 
version together with the Evolution Postulate. Then we will discuss other com- 
mon formulations of the measurement postulate and some of their well-known 
features. 
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Measurement Postulate 


For a given orthonormal basis B = {|y;)} of a state space H, for a system 
A, it is possible to perform a Von Neumann measurement on system Ha with 
respect to the basis B that, given a state 


|b) = dale); (3.4.1) 


outputs a label i with probability |a;|? and leaves the system in state |y;). 
Furthermore, given a state |) = 0, a:|~:)|y) from a bipartite state space 
Ha ® Hep (the |y;) are orthonormal; the |7;) have unit norm but are not nec- 
essarily orthogonal), then performing a Von Neumann measurement on system 
A will yield outcome i with probability |a;|? and leave the bipartite system in 
state |yi)|%)- 


For the state |) = >7, ai|y:), note that a; = (ys||) = (vil), and thus 
las|? = afag = (lye) (vild). (3.4.2) 


We can see that two states |) and e? |b) (differing only by a global phase) 
are equivalent. Consider the state e’?|7) = 5°, a;e’’|W;) immediately before a 
measurement. The result 7 will occur with probability 


p(t) = afe axe” = af a; = Jax? (3.4.3) 


and thus the resulting probability is the same as it would be for the state |~). 
The statistics of any measurements we could perform on the state e’?|y) are 
exactly the same as they would be for the state |q). This explains our earlier 
claim that global phases have no physical significance. 


Suppose we measure both qubits of a composite system in state 


1) = /Eloy10) + Slo) + 210) + /Siyy. (3.4.4) 


When we measure the two qubits in the computational basis, the probability of 
getting the result 00 is re the probability of getting 01 is 3, the probability 
of getting 10 is 2, and the probability of getting 11 is 2. Thus the probability 
of measuring 0 in the first qubit is thus 7 + 2 = o. To see what happens if we 
just measure the first qubit, it is convenient to rewrite |1)) as 


?Notice that here we use subscripts (e.g. |;)) to index different terms in a superposition 
of states on a single system. This is different from our usage in Section 3.3 where we used 
subscripts on |71) and |w2) to index states on different subsystems of a bipartite system 
(factors in a tensor product). Both conventions are commonly used, and the meaning should 
always be clear from the context. 
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= / £10) (v/4I0 + vain) +f) (20 + vain) . (3.4.5) 


The measurement of just the first qubit gives 0 with probability 4, and in this 
case the state of the second qubit is left in the superposition (V3 |0) + Vi 11)) : 


One will find a variety of formulations of the Measurement Postulate in text- 
books. They can all be derived from the simple postulates that have been out- 
lined. 


In Section 4.5, we will see how to implement a Von Neumann measurement with 
respect to an arbitrary basis {|q);)} given the means to perform a Von Neumann 
measurement in the computational basis {|i)} and the ability to perform unitary 
transformations. 


Combining the Measurement Postulate above with the other postulates, we can 
derive more general notions of measurement. In particular, if one wishes to mea- 
sure a pure state |) one can add an ancillary register? of arbitrary size initialized 
to some fixed state, say |00...0). One can then perform a unitary operation on 
the joint system, followed by a Von Neumann measurement on some subsystem 
of the joint system to obtain a label i. Depending on what is done with the rest 
of the system (i.e. the part of the system that was not measured), one can derive 
a variety of generalized notions of quantum measurement (see Appendix A.8). In 
this section, we will only discuss one slight generalization of the Von Neumann 
measurements that can be derived in this way. 


A Von Neumann measurement is a special kind of projective measurement.4 
Recall that an orthogonal projection is an operator P with the property that 
Pt = P and P? = P. For any decomposition of the identity operator J = Berar 
into orthogonal projectors P;, there exists a projective measurement that outputs 
outcome i with probability p(t) = (~|Pi|y) and leaves the system in the re- 
Pil) 
p(s) 
state |v) into one of the orthogonal subspaces corresponding to the projection 
operators P;, with probability equal to the square of the size of the amplitude of 
the component of |w) in that subspace. 


normalized state In other words, this measurement projects the input 


Exercise 3.4.1 


(a) Prove that if the operators P; satisfy Pi = P,; and P? = P;, then P,P; = 0 for all 

it j. 

(b) Ne oe any pure state |~) can be decomposed as |) = 5°, ai|yi) where a; = 
P; d Ju) = Pilv) 

VeG); pli) = (IPI), and |i) = 


3We will often refer to a register of ancillary qubits as simply an ‘ancilla’. 


4 Also known as a Liiders measurement. The term ‘Von Neumann measurement’ is also often 
used to denote this more general notion of projective measurement. 
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Also prove that (wWi|w;) = 6:,;. 


(c) Prove that any decomposition I = )7, P; of the identity operator on a Hilbert space 
of dimension N into a sum of nonzero projectors P; can have at most N terms in the 
sum. 


Note that the Von Neumann measurement as described in the Measurement 
Postulate (which can be described as a ‘complete’ or ‘maximal’ measurement) 
is the special case of a projective measurement where all the projectors P; 
have rank one (in other words, are of the form |¢);)(w;| for a normalized state 


|i)). 


The simplest example of a complete Von Neumann measurement is a complete 
measurement in the computational basis. This can be viewed as a projective 
measurement with respect to the following decomposition of the identity 


ae ee 


i€{0,1}” 


where P; = |<) (i]. 


A simple example of an incomplete projective measurement is a ‘parity’ mea- 
surement, where Po = > parity(x)=o |Z) (z| and Pi = > parity(2)=1 [Z)(z|, where Po 
sums over all strings with an even number of 1s and P, with an odd number of 
1s (Section 4.5 shows how to implement this projective measurement). 


Projective measurements are often described in terms of an observable. An ob- 
servable is a Hermitean operator M acting on the state space of the system. 
Since M is Hermitean, it has a spectral decomposition 


M=S > mP; (3.4.6) 


where P; is the orthogonal projector on the eigenspace of M with real eigenvalue 
m,. Measuring the observable corresponds to performing a projective measure- 
ment with respect to the decomposition I = )°,P; where the measurement 
outcome 7 corresponds to the eigenvalue m;. 


Example 3.4.1 Consider the Pauli observable Z. Recall from Section 3.2 that the 
Pauli operator Z is defined by 


Z= E Z| (3.4.7) 


In that section, we interpreted Z as a quantum gate. But it is easy to see that Z 
is a Hermitean operator, and so can be interpreted as an observable. The spectral 
decomposition for Z is 

Z = |0)(0| — |1) (I, (3.4.8) 
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and so the eigenvalues of Z are 1 and —1, corresponding to eigenvectors |0) and |1) 
respectively. So the measurement operators are the projectors |0)(0| and |1)(1|, and 
thus a measurement of the Pauli observable Z is a measurement in the computa- 
tional basis, with eigenvalue +1 corresponding to |0) and eigenvalue —1 corresponding 
to |1). 


Exercise 3.4.2 Show that measuring the observable |1)(1| is equivalent to measuring 
the observable Z up to a relabelling of the measurement outcomes. 


Exercise 3.4.3 Verify that a measurement of the Pauli observable X is equivalent to 


a complete measurement with respect to the basis { a (0) + |1)), Fi (|0) I1))} basis. 


Exercise 3.4.4 


(a) Prove that performing a projective measurement with respect to Po and P; (defined 
above) on an n-qubit state is equivalent to measuring the observable Z®”. 


(b) Explain why performing a complete Von Neumann measurement with respect to 
the computation basis, and then outputting the parity of the resulting string is not 
equivalent to performing a projective measurement of the parity. 


Exercise 3.4.5 The observable formalism gives a convenient way to describe the ex- 
pected value of a quantum measurement, where the eigenvalues m; correspond to some 
relevant physical quantity. Such expectation values are particularly relevant for quan- 
tum experiments (particularly the early ones) where one does not measure individual 
quantum systems, but rather an ensemble of many independent and identically pre- 
pared systems, and where the measurement apparatus provides only cumulative results 
(e.g. the net magnetic field induced by an ensemble of nuclear spins). Consider a pro- 
jective measurement described by projectors P;, and suppose we measure the state |~). 
Show that the expected value of m; is 


E(mi) = Tr(M|d)(y))- 


We have now seen how quantum measurements behave, starting with a postu- 
late that describes a particular class of measurements, called (complete) Von 
Neumann measurements. The Measurement Postulate also described the behav- 
iour of a measurement when we measure a subsystem of a larger composite 
quantum system. The Von Neumann measurement can be combined with other 
basic quantum operations to provide more general types of measurements, 
including general projective measurements, which canalso be phrased in terms 
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of measuring an observable (which can be any Hermitean operator on the state 
space). 


3.5 Mixed States and General Quantum Operations 


In the preceding, we have always assumed that the state of a system has a 
definite state vector. Such a state is commonly referred to as a pure state. There 
are important situations, as we shall see, for which all we can say is that the 
qubit is described by one of a specific set of state vectors, with corresponding 
probabilities (the probabilities must add to 1). For example, suppose we know 
that a qubit is in the pure state |) = 5 |0)+ yall) with probability 1/3, and is 
in the pure state |¢2) = wa |0) — wi |1) with probability 2/3. The state described 
by this probability distribution is called a mixture or ensemble of the states |~1) 
and |). We refer to the state of a system in such a situation as being a mixed 
state. In this section, we will define the standard mathematical tools used to 
describe mixed states and operations on mixed states. We will also discuss the 
partial trace operation, which will in general map a pure state to a mixed state, 
and a more general class of operations, which we call superoperators, that can 
be derived from the partial trace. 


3.5.1 Mixed States 


We can have mixed states on an ensemble of any number n of qubits. One way 
of representing a general mixed state on n qubits is as the ensemble 


{ (Iu1),?1), (Iv2)-P2); +--+ (Ibe), Px) } (3.5.1) 


which means that the system is in the pure (n-qubit) state |,;) with probability 
pi, for i = 1,2,...,k. Note that a pure state can be seen as a special case of a 
mixed state, when all but one of the p; equal zero. 


To use a representation such as (3.5.1) in all our calculations would be quite 
cumbersome. There is an alternative, very useful, representation of mixed states 
in terms of operators on the Hilbert space H. These are called density operators.° 
The matrix representation of a density operator is called a density matrix. 


The density operator for a pure state |w) is defined as 


p= Wl. (3.5.2) 


If we apply the unitary operator U to state |y) we get the state U|w) which has 
density operator U|w)()|U'. Consider measuring the state with density operator 


5It might seem unusual at first to use an ‘operator’ to describe a state. Nonetheless, it is 
useful to use such a mathematical object to describe the state of a system. 
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p = |) (| in the computational basis. Recalling Equation (3.4.2), the probability 
of getting 0 is given by 


(0[4) (10) = (O|p|0). (3.5.3) 
Notice that (0) (q|0) evaluates to a real number. Since any number is the trace 


of a corresponding 1 x 1 matrix (whose only entry is that complex number), we 
can also write the probability of the measurement giving result 0 as 


(O|eb) (p|0) = Tr ((0|x) (x]0)) 
= Tr(|0) (0||eb) (bl) (3.5.4) 
where the last step follows from the cyclicity of trace (ie. Tr(ABC) = 
Tr(BCA) = Tr(CAB)). 


Similarly, if we measure a qubit in a state with density operator p = |W) (w|, the 
probability of obtaining the outcome |1) is Tr(|1)(1||w)(#|). If only dealing with 
pure states, this notation is unnecessarily redundant; however, if we also consider 
mixed states it is a much more concise notation than used above in Equation 
(3.5.1). 


The density operator for an ensemble of pure states such as (3.5.1) is 
k 
p= >— pili) (bil (3.5.5) 
i=1 


and captures all the relevant information about the state of the system. 


For example, if we apply the unitary operator U to mixed state described in 
(3.5.1), we would get the mixed state 


{(Uld1),P1); (U|w2),p2),.--, (Ulex), px) } (3.5.6) 


which has density operator 


k k 
DPT li) (pilU" =i (domo! ut (3.5.7) 
= Uptut. (3.5.8) 


Note that the output density operator can be computed from the input density 
operator and the unitary U without knowing the precise decomposition of the 
input density operator. 


Given the mixed state described by the density operator p of Equation (3.5.5), if 
we measure in the computational basis the probability of obtaining the outcome 
|0), for example, is 
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> PATr(|0) (Ol us) (esl) (3.5.9) 
= Tr > Pil0) (Olli) (wal (3.5.10) 


=T (sa) (3.5.11) 
= Tr(|0)(0|p). (3.5.12) 


For computing the statistics associated with measuring any observable property 
of a system, all that matters is the density operator itself, and not the precise 
decomposition of the density operator. In other words, two mixtures with the 
same density matrices are indistinguishable or equivalent (analogous to the way 
two pure states that differ only by a global phase are equivalent). 


Exercise 3.5.1 Find the density matrices of the following states: 


(a) {(10), 3)- (IM). 3) f- 


Exercise 3.5.2 


(a) Prove that the density operator p for an ensemble of pure states satisfies the fol- 
lowing conditions: 


(i) Tp) = 1. 
(ii) p is a positive operator (i.e. for any |v), (v|p|v) is real and non-negative; equiv- 
alently, the eigenvalues of p are non-negative). 


(b) Show that for any matrix p satisfying conditions 1 and 2, there exists a finite list 
of probabilities p; and pure states |y~;) such that p is the density matrix of the mixed 
state 


{ (Ix), P:); (la), p2) +--+ (Ie), Pa) Fe (3.5.13) 


Exercise 3.5.3 Consider any linear transformation T on a Hilbert space 1 of dimen- 
sion N. This linear transformation T induces a transformation p++ TpT' on the set of 
linear operators on the Hilbert space H. Prove that the above transformation is also 
linear. 
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Mixed States and the Bloch Sphere 


Recall from Section 3.1 that pure states of a qubit can be represented by points 
on the surface of the Bloch sphere. Mixed states correspond to points in the 
interior of the Bloch sphere, which can be seen as follows. If p = 5°, pi|vi) (Yi! 
and if the Bloch vector for |%;) is (Qz,i,@y,i,@z,:), then the Bloch vector for 
the mixed state p is 


p= Do Pi(e,is Qyi,Qzi) = (Sr Eras Eon . (3.5.14) 


There are of course many different convex combinations of points on the sur- 
face of the Bloch sphere that correspond to the same mixed state. One can 
compute the Bloch vector for a mixed state directly from its density matrix 
as follows. Recall in Section 3.2 we observed that any operator on a single 
qubit can be written as a linear combination of operators from {I, X,Y, Z}. 
The operators X,Y, Z all have trace 0. Since a density matrix must have trace 
1 (Exercise 3.5.2), this means that any density operator for a single qubit can 
be written as 

p= 5l+a,X +ayY +a,Z. (3.5.15) 


The vector (az, Qy,@z) gives the coordinates for the point in the Bloch sphere 
corresponding to the state p. For example, the totally mixed state (the ensemble 
{(|0)(O|, 5), ({1)(1|, $)} corresponds to the point at the centre of the Bloch 
sphere. 


3.5.2 Partial Trace 


One of the most important uses for the density operator formulation is as a tool 
for describing the state of a subsystem of a composite system. Consider a pure 
state |W)ap € Ha ® He of two qubits. Recall that the general state of such 
a system may be entangled, and so it may not be possible to factor out the 
state vector |q)4 € Ha for the state of the first qubit. However, the state of 
the first qubit can in general be described as a mixed state. This means that it 
can be described by a density operator p“ on Ha, sometimes called a reduced 
density operator. The mathematical operation for calculating the reduced density 
operator is the partial trace. The reduced density operator p, is defined in terms 
of the density operator p4? for the full 2-qubit system by 


p+ =Trg (p*”) ; (3.5.16) 


where Trg is the partial trace over system B, defined as the linear extension of 
the operator defined on basis states by 


Trp (|a1)(a2| & |b1) (b2]) = |a1) (a2|Tr(|b1) (b2|). (3.5.17) 
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Since 
Equation (3.5.17) can be simplified to 
Trp (|a1)(a2| ® |b1) (ba) = |a1)(ag|(b2|b1). (3.5.19) 


The operation of computing Trg is sometimes referred to as tracing-out system 
B. As an example, we illustrate the partial trace operation by tracing out the 
second qubit of the 2-qubit entangled state 


5 (00) + {11)). (3.5.20) 
The density matrix for this state is 
= $(|00) (00| + |00)(11| + |11)(00| + |11)(11]). (3.5.21) 


We compute the reduced density operator for the first qubit by tracing out qubit 
B. 

p* = Trp(p) 

= $Tr2(|00) (00| + |00) (11| + |11)(00] + |11)(11]) 

= 7Tr2(l0)(0] & 0) (O| + |O)(1] @ [O)(1] + |1)(O] ® |1)(O] + [1)(1] @ |1) (11) 

= 5 ([0) (01+ (J0)(0]) + 0) (4) Te(0)(4]) + [1) (O/Te(|1){0]) + [1) (1ITH(11) (11) ) 
= 5 (10) (O|(0[0) + [0)(1|(1]0) + |1) (0](O|1) + |1)(1](2]1)) 

= $(10)(0| + |1)(1]). (3.5.22) 


Reduced density operators can be computed for composite systems consisting of 
more than two qubits in an analogous way. 


In Section 3.5.3, we see that the partial trace can be combined with the other 
operations on quantum states that we have seen in order to induce a more general 
type of transformation on quantum states, which we call superoperators. 


We conclude this section on partial trace by showing that the partial trace is very 
straightforward to compute when the joint state of the system being discarded 
and the system being kept is expressed in Schmidt form. 


Exercise 3.5.4 


(a) Given a bipartite state on H4 @ HB, suppose we want to apply a unitary operation 
U on A, and then trace-out system B to give the resulting state for system A. Show 
that applying the unitary U on system A commutes with tracing-out system B. In 
other words, Tre((U @ I)p(Ut @ I)) = U(Trep)U'. 


(b) Prove that one way to compute Trg is to assume that someone has measured system 
B in any orthonormal basis but does not tell you the measurement outcome. 
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Note: Part (b) shows that if some qubits in a computation will be discarded or ignored, 
one can assume for the sake of analysing the state of the remaining qubits that the 
discarded qubits have been measured. This is done, for example, in the analysis of the 
algorithms in Sections 6.5, 7.3.3, 7.4, and 7.5. 

Exercise 3.5.5 


(a) Find a pure state pap € Hae of a bipartite system AB, such that 
pas # Trp (pas) ® Tra (pas). 


Note: The partial trace Tre(p) contains all the relevant information about system A 
if system B is discarded. Similarly Tr4(p) contains all the relevant information about 
system B if system A is discarded. These local descriptions do not in general contain 
enough information to reconstruct the state of the whole system. 


(b) Show that for any density operator p on a system A, there exists a pure state w on 


some larger system A @ B such that p = Tra|q) (| and dim(A) > dim(B). 


Partial Trace and the Schmidt Decomposition 


When a bipartite vector is written in the Schmidt basis, it is very easy to compute 
the partial trace of either subsystem. For example, consider the following pure 
state on system AB, written in Schmidt form: 


p) = me Vpiles)|yP) (3.5.23) 


where we recall that {|y#)} is a basis for Ha and {|y?)} for Hg. The density 
matrix for |q) is 


= (Svmtesiiehy) [So vatese 
= Vi viv; let)? (oF (97 
= do vPivP; let) eA leP) (oP |. 


Now let us trace-out system B. 


Tra|b)(o| = 2 VPVR Tralyt) (ys lly?) (¢7 | 
= Viiv; let) (pal (eP le?) 
= pn lee bs 
7 = pile) (yf | (3.5.24) 


Similarly, Tr 4|W)(~| = > Pile?) (oP . TEAM LinG 
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Notice that in the Schmidt basis both reduced density operators are in diagonal 
form, and that their spectra (i.e. sets of eigenvalues) are the same. This sug- 
gest a method for computing the Schmidt decomposition, which is explained in 
Appendix A.7. 


3.5.3 General Quantum Operations 


We initially stated the postulates of quantum mechanics for closed systems, 
which involves pure states and unitary evolution. As we saw in the previous 
section, if we allow our system to interact with an external system, it is often 
appropriate to use mixed states to describe the state of our system. There is also 
a corresponding more general framework for describing quantum operations that 
involve external systems. Since we describe the behaviour of these more general 
operations on the density operators describing mixed states, we often call these 
operations superoperators. We will restrict attention to superoperators that do 
not require measurements.° 


A superoperator or a ‘general quantum operation’ can take as input a system 
described by a density operator pi, corresponding to a Hilbert space of dimension 
N, add an ancilla of arbitrary size (in fact, it can be shown, using Caratheodory’s 
Theorem, that the dimension of the ancilla never needs to be larger than N? and 
that we can assume without loss of generality that the ancilla is initialized to 
some fixed pure state), perform a unitary operation U on the joint system, and 
then discard some subsystem.” 


More explicitly, this can be described as the map: 
Pin > Pout = Tre(U(pin ® |00...0)(00...0])U) (3.5.25) 


where the state |00...0) is an ancilla state of arbitrary size (but without loss of 
generality has dimension at most N?), U is a unitary operation acting on the 
joint system, and B is some subsystem of the joint system. We illustrate these 
operations using circuit diagrams in Figure 4.2 after we define quantum circuits 
in Section 4.1. If B is the original ancilla system, then the superoperator does 
not change the Hilbert space of the system. In general, we can describe states 
that change the dimension of the state space. In Exercise 10.4.2 it is shown that 
action of such a superoperator (restricting attention to operators that do not 
change the Hilbert space) can be described by a finite sum® 


Pin SS AipinAl (3.5.26) 


6A more general notion of quantum operations also involving measurements are discussed 
briefly in Appendix A.8. 

‘It is important that the discarded system is never used again. Equivalently, it could be reset 
to some generic state. Otherwise, the partial trace does not capture all the relevant information 
about the state of system A. 

8Since we are restricting to finite-dimensional ancillas, the number of terms one would derive 
would be finite. In general, one can consider an infinite number of A; terms, but the resulting 
superoperator would have an equivalent formulation in terms of at most Na ghey neon terms. 
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where the A; are called Kraus operators, which are linear operators? on the same 
Hilbert space as pin and satisfy 


\_ AIA; = 1. (3.5.27) 


Conversely, every set of Kraus operators satisfying the completeness condition 
(Equation 3.5.26) can be realized by a map of the form in Equation 3.5.25 for 
some unitary U (which is unique up to a final unitary on the system that is 
traced out). 


It it easy to verify that these superoperators are ‘trace-preserving completely 
positive maps’, because (see Exercise 3.5.7) they are maps that: 


e map positive operators (in Exercise 3.5.2 we saw that density operators are 
positive) to positive operators (hence the term ‘positive’ map) 

e when tensored with the identity operation, they still map positive operators 
to positive operators (e.g. the transpose map is positive but not completely 
positive; see Exercise 3.5.6) 

e preserve the trace of the density operator (this equates to preserving the 
sum of the probabilities of the outcomes of a measurement). 


Exercise 3.5.6 Prove that the transpose map, which maps p + p’ is positive, but 
not completely positive. 


Exercise 3.5.7 Prove that superoperators, as defined in Equation 3.5.25, are trace- 
preserving completely positive maps. 


It can be proved, using the Stinespring dilation theorem, that any linear map 
from operators on one (finite-dimensional) Hilbert space to operators on an- 
other (finite-dimensional) Hilbert space that is trace-preserving and completely 
positive is equivalent to a superoperator of the form described above. Thus, lin- 
ear trace-preserving completely positive maps exactly characterize the notion of 
‘general quantum operation’ we have described. 


°In general, the A; could be linear transformations from H (of dimension N) to some other 
Hilbert space H’ of dimension D. 
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4.1 The Quantum Circuit Model 


In Section 1.3, we introduced the circuit model of (classical) computation. We re- 
stricted attention to reversible circuits since they can simulate any non-reversible 
circuit with modest overhead. This model can be generalized to a model of quan- 
tum circuits. In the quantum circuit model, we have logical qubits carried along 
‘wires’, and quantum gates that act on the qubits. A quantum gate acting on 
n qubits has the input qubits carried to it by n wires, and n other wires carry 
the output qubits away from the gate. A quantum circuit is often illustrated 
schematically by a circuit diagram as shown in Figure 4.1. The wires are shown 
as horizontal lines, and we imagine the qubits propagating along the wires from 
left to right in time. The gates are shown as rectangular blocks. For convenience, 
we will restrict attention to unitary quantum gates! (which are also reversible). 
Recall from Section 3.5.3 that non-unitary (non-reversible) quantum operations 
can be simulated by unitary (reversible) quantum gates if we allow the possibil- 
ity of adding an ancilla and of discarding some output qubits. A circuit diagram 
describing a superoperator being implemented using a unitary operator is illus- 
trated in Figure 4.2. 


In the example of Figure 4.1, the 4-qubit state |w;) = |0) @ |0) @ |0) @ |0) en- 
ters the circuit at the left (recall we often write this state as |q;) = |0)|0)|0)|0) 
or |v;) = |0000).) These qubits are processed by the gates U,,U2,U3, and U4. 
At the output of the circuit we have the collective (possibly entangled) 4-qubit 
state |w,). A measurement is then made of the resulting state. The measure- 
ment will often be a simple qubit-by-qubit measurement in the computational 
basis, but in some cases may be a more general measurement of the joint state. 
A measurement of a single qubit in the computational basis is denoted on a 
circuit diagram by a small triangle, as shown in Figure 4.1 (there are other 


1 We could consider measurements to be a special kind of gate that extracts or outputs some 
classical information about the quantum system. However, in this text we will restrict use of 
the word ‘gate’ to refer to operations that do not output such classical information. Thus the 
most general kind of operation implementable by a gate is a superoperator. Furthermore, for 
convenience, we will restrict attention to unitary gates. 
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\0) Uy | 

0 é 

|0) i Us 

\0) | 

|0) Us <| 
\w;) = |0)|0)|0)|0) ler) 


Fig. 4.1 A quantum circuit. The 4-qubit state |0)|0)|0)|0) enters the circuit on the left. 
The boxes labelled U1, U2, U3, Us represent quantum gates applied to the qubits (in the 
order indicated from left to right). The joint (possibly entangled) 4-qubit state after 
the gates are applied is |w y). The small triangles at the right side of the circuit indicate 
that each of the four qubits of the final state are measured in the computational basis 
to provide the output of the circuit. 


[-—— t 
Pin | —¥ oe AipinA,; 
U 
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Ancilla |0) —t 4 
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Garbage 


Fig. 4.2 A general (possibly irreversible) quantum operation or superoperator can be 
realized using a unitary operation by adding an ancilla and tracing out part of the 
output. Thus, we can restrict attention to unitary gates. 


symbols used in the literature, but we adopt this one). The triangle symbol will 
be modified for cases in which there is a need to indicate different types of mea- 
surements. Recall that the measurement postulate stated that a measurement 
outputs a classical label ‘2’ indicating the outcome of the measurement and a 
quantum state |¢;). Thus, we could in general draw our measurement symbol 
with a ‘quantum’ wire carrying the quantum state resulting from the measure- 
ment, together with a classical wire carrying the classical label, as depicted in 
Figure 4.3. 


Quite often, the quantum outcome is discarded or ignored, and we are only 
interested in the classical information telling us which outcome occurred. In 
such cases, we will not draw the quantum wire coming out of the measure- 
ment symbol. We will usually omit the classical wire from circuit diagrams 
as well. 
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aio|0) + aa) —.— ) 


Classical 
display 
Fig. 4.3 The measurement of the quantum state ao|0) + a;|1) results in a quantum 
output |b) with probability |a»|? (b € {0, 1}) together with a classical label ‘b’ indicating 
which outcome was obtained. If the quantum output is discarded or ignored, we usually 
omit to draw the quantum wire on the right side of the measurement symbol. The 
classical wire carrying the output label is also usually omitted. 


Fig. 4.4 The NOT gate rotating the state |0) to the state |1). 


4.2 Quantum Gates 
4.2.1 1-Qubit Gates 


In Section 3.2, we said that any unitary operator acting on a 2-dimensional quan- 
tum system (a qubit) is called a ‘1-qubit quantum gate’. We gave the quantum 
NOT gate (sometimes called the Pauli X gate) as an example (and mentioned the 
other Pauli gates). Recall the Bloch sphere from Section 3.1. Every 1-qubit pure 
state is represented as a point on the surface of the Bloch sphere, or equivalently 
as a unit vector whose origin is fixed at the centre of the Bloch sphere. A 1-qubit 
quantum gate U transforms a quantum state |q) into another quantum state 
U|w). In terms of the Bloch sphere, the action of U on |W) can be thought of as 
a rotation of the Bloch vector for |w) to the Bloch vector for U|y)). For example, 
the NOT gate takes the state |0) to the state |1) (and takes |1) to |0)). In terms 
of the Bloch sphere, this action can be visualized as a rotation through an angle 
m about the x axis, as illustrated in Figure 4.4. 


Recall in Section 2.5 we saw how to compute the exponential (and other func- 
tions) of operators. If we exponentiate the Pauli gates, we get unitary operators 
corresponding to very important classes of 1-qubit gates. These are the rotation 
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gates, which correspond to rotations about the z-,y-, and z- axes of the Bloch 
sphere. They are defined in terms of the Pauli gates, and so for convenience, we 
remind you now of the definitions of the Pauli gates: 


sith aie 


Y= : a Z= i E| (4.2.1) 


R,(@) =e 2 
R,(0) =e"? 
R,(0)=e72-. (4.2.2) 


Exercise 4.2.1 Let x be a real number and A a matrix such that A? = J. Show that 


e'4” — cos(x)I + isin(x) A. 


It is easy to check that the Pauli operators X,Y, and Z satisfy the conditions 
X?=J], Y? =T, and Z? = J, and so using the result of Exercise 4.2.7 we can 
write the rotation gates as: 


R,(0)=e 2 = cos ($) I — isin (§) X 
R,(0) = aa = cos ($) I—isin (4) Y 
R,(6) =e72 = cos (2) I — isin (2) Z. (4.2.3) 


Knowing the matrices for J, X,Y, and Z in the computational basis, we can now 
write the rotation gates as matrices in the computational basis: 


c g —isin g 
R,(8) = Bet cost) 
w= [neat 
ROS ie 3 a 
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Consider an arbitrary 1-qubit state, written in terms of its Bloch vector angles 


o and rT: i 5 
cos (5) |0) + e*” sin (=) |1). (4.2.5) 
In the computational basis, this can be written as the column vector 
cos (5) (4.2.6) 
e’7 sin (3) 


The effect of applying R,() on this state can be seen by performing a matrix 
multiplication: 


Since a global phase is insignificant, we have the state 
cos (=) 10) + (7 +9) sin (=) |1). (4.2.8) 


We see that effect of R,(0) has been to change the angle 7 to 7 + 6, which is a 
rotation of @ about the z-axis of the Bloch sphere. To see that R,(@) and R,(@) 
implement rotations about the z- and y-axes of the Bloch sphere is trickier, 
because such rotations involve changes to both angles o and rT. 


Exercise 4.2.2 Show that R,(@) and R,(@) implement rotations through an angle 6 
about the x- and y-axes of the Bloch sphere, respectively. 


It will be useful to show how to decompose any given 1-qubit gate into a sequence 
of rotations about the main axes of the Bloch sphere. The following theorem tells 
us that we can decompose any 1-qubit gate into a sequence of two rotations about 
the z-axis and one rotation about the y-axis, along with a suitable phase factor. 


Theorem 4.2.1 Suppose U is a 1-qubit unitary gate. Then there exist real 
numbers a, 3,y, and 6 such that 


U = eR, (8)Ry(7)Rz(6). (4.2.9) 


The proof of this follows from the fact that U is unitary, and the definition of the 
rotation matrices. There is nothing special about the y- and z-axes of the Bloch 
sphere. We can also give decompositions of 1-qubit gates in terms of rotations 
about any other two non-parallel axes of the Bloch sphere. 
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Theorem 4.2.2 Suppose U is a 1-qubit unitary gate. Let | and m be any two 
non-parallel axes of the Bloch sphere. Then there exist real numbers a, 3,y, and 
6 such that 


U = e**R, (3) Rm(y)Ri(6). (4.2.10) 
The following corollary of Theorem 4.2.1 will be used in the next section. 
Corollary 4.2.1 Any 1-qubit gate U can be written in the form 
U = e'*AXBXC, (4.2.11) 


where A, B,C are unitary operators satisfying ABC = I. (Recall that the Pauli 
gate X is the NOT gate.) 


Exercise 4.2.3 
(a) Prove X R,(0)X = R,(—@) and XR,(0)X = R,(-8). 
(b) Prove Corollary 4.2.1. 
Hint: Using Theorem 4.2.1 we can write 
U = e'*R.(8)Ry(7)Rz(6). (4.2.12) 


Then take A = R.(8)Ry(y/2), B = Ry(—y/2)Rz(—(6+ 8)/2), and C = R.((6- B)/2). 


4.2.2 Controlled-U Gates 


Recall in Section 3.3 we introduced the controlled-NOT (CNOT) gate. This is a 
2-qubit quantum gate that conditionally applies the NOT gate on the second 
(target) qubit when the first (control qubit) is in state |1). Remember that such 
a gate acts on quantum states in quantum superposition. 


Exercise 4.2.4 Describe the effect of the CNOT gate with respect to the following 


bases. 
)- (a) pr (2) J 


(a) Br = { 0) (SY 
(b) Bo = ml) ny ort) ny , mn) ey) 
(CE) (8) (PAP), aR) Can 
v2 v2 


Express your answers both using Dirac notation, and also with matrix notation. 


r= 
Nigra Ser 
je} 
Ss 
Fila 
S 
SLL 

L 


TEAM LinG 


QUANTUM GATES 67 


Given any 1-qubit gate U, we can similarly define a controlled-U gate, denoted 
c-U, which will be a 2-qubit gate corresponding to the following operation: 


c-U]0)|2b) = |0)|w) 
c-U|) |b) = |1)U|y). (4.2.13) 


Exercise 4.2.5 Prove that the c-U gate corresponds to the operator 


|0)(0| ® F+ |1) (1, @ UV. 


Exercise 4.2.6 We know that U and e’°U are equivalent since they only differ by a 
global phase. However, prove that c-U 4 c-(e°U ) for 6 not equal to an integer multiple 
of 27. 


The symbol commonly used for the c-U gate in a quantum circuit diagram is 
shown in Figure 4.5. 


Exercise 4.2.7 For a given 1-qubit gate U, use the result of Corollary 4.2.1 to con- 
struct a circuit for implementing a c-U gate using only CNOT gates, and single-qubit 
gates. 


Hint: Use the fact that the controlled application of e*“J to the target qubit is equivalent 
to a 1-qubit phase rotation gate acting on the control qubit. 


The construction of a controlled-U for any 1-qubit gate U is the subject of Ex- 
ercise 4.2.7. This can be generalized to allow the implementation of a controlled 
version of any quantum circuit implementing a unitary operation U. Suppose we 
are given a circuit Cy implementing a unitary U, and we wish to implement a 
circuit for the controlled-U operation. The basic technique is to replace every 
gate G in Cy by a controlled gate c-G, as shown in Figure 4.6. 


For 1-qubit gates G, the controlled gate c-G can be constructed using the method 
of Exercise 4.2.7. As we will see in Section 4.3, we can assume without loss of 
generality that Cy consists only of 1-qubit gates and CNOT gates. So the only 
thing that remains is to construct a controlled version of the CNOT gate. Recall 


oe 
U 


Fig. 4.5 The c-U gate. 
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Fig. 4.6 Given a circuit Cy implementing a unitary U, to implement a circuit for the 
controlled-U operation we replace every gate G in Cy by a controlled gate c-G. 


Fig. 4.7 Suppose that at some point in a computation there is some qubit that will 
only be used as a control qubit in subsequent controlled-U, operations before being 
discarded. The same result is obtained if one measures the qubit in the computational 
basis and then classically controls the U, gates. 


from Section 1.3 that a controlled-cnot gate is called a Toffoli gate. As we shall 
see in Section 4.3, the Toffoli gate can be implemented by a circuit containing 
CNOT gates and some 1-qubit gates. So we can use this replacement for each 
of the Toffoli gates generated in our construction of the controlled-U circuit. 
This completes the construction of a circuit for implementing the controlled-U 
operation. 


Exercise 4.2.8 Suppose that at some point in a computation there is some qubit 
that will only be used as a control qubit in subsequent controlled-U; operations before 
being discarded. By controlled-U, we mean the transformation applies some unitary 
Uo on some other qubit(s) in the computation if the control qubit is in state |0) (in 
the previous examples of controlled-gates, Up = I) and applies some unitary U, if the 
control qubit is in state |1). Prove that one obtains the same result if one measures the 
qubit in the computational basis and then classically controls whether to apply Uo or 
U,. (This is illustrated in Figure 4.7.) 


4.3. Universal Sets of Quantum Gates 


The gates we have seen so far have acted on either a single qubit, or on two 
qubits. An interesting quantum algorithm would, in general, be some complicated 
unitary operator acting non-trivially on n-qubits. In classical computing, we 
implement complicated operations as a sequence of much simpler operations. In 
practice, we want to be able to select these simple operations from some set 
of elementary gates. In quantum computing, we do the same thing. The goal 
is to choose some finite set of gates so that, by constructing a circuit using 
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only gates from that set, we can implement non-trivial and interesting quantum 
computations. 


When we use a circuit of quantum gates to implement some desired unitary 
operation, in practice, it suffices to have an implementation that approximates 
the desired unitary to some specified level of accuracy. We need to make precise 
the notion of the quality of an approximation of a unitary transformation. Sup- 
pose we approximate a desired unitary transformation U by some other unitary 
transformation V. The error in the approximation is defined to be 


E(U,V)= max||(U -—V)|v)|| (4.3.1) 


(recall Equation (2.2.11) for the definition of the norm). When we say that an 
operator U can be ‘approximated to arbitrary accuracy’, we mean that if we are 
given any error tolerance « > 0, we can implement some unitary V such that 
E(U,V) <e. 


Exercise 4.3.1 Show that 


E(U2U1, V2Vi) < E(U2, V2) + E(U1, Vi). (4.3.2) 


From Exercise 4.3.1 it follows that 


E(U,Un—1 see U;, VrVn—1 eee Vi) < E(Un, Vn) + E(Un-1, Vn—1)+ Pe -+E(U,, V)). 
(4.3.3) 


Definition 4.3.1 A set of gates is said to be universal if for any integer n > 1, 
any n-qubit unitary operator can be approximated to arbitrary accuracy by a 
quantum circuit using only gates from that set. 


Finding convenient universal sets of gates is of great practical importance as well 
as of theoretical interest. Since a universal set of gates must be able to implement, 
for example, the CNOT, it will have to contain at least one non-trivial gate on 
two or more qubits. 


Definition 4.3.2 A 2-qubit gate is said to be an entangling gate if for some 
input product state |w)|¢) the output of the gate is not a product state (i.e. the 
output qubits are entangled). 


The following universality result is a useful starting point. 


Theorem 4.3.3 A set composed of any 2-qubit entangling gate, together with 
all 1-qubit gates, is universal. 
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Theorem 4.3.3 implies, for example, that the CNOT gate together with all 
1-qubit gates is universal.? The theorem gives sets that are universal in a stronger 
sense required by Definition 4.3.1. With an entangling 2-qubit gate and all 
l-qubit gates, we can implement any n-qubit unitary exactly. A shortcoming 
of Theorem 4.3.3 is that the universal sets of gates it provides are infinite. It 
is useful to find a finite set of gates that is universal. A natural starting point 
in this direction is to look for a finite set of 1-qubit gates that can be used to 
approximate any 1-qubit gate to arbitrary accuracy. 


Definition 4.3.4 A set of gates is said to be universal for 1-qubit gates if any 
1-qubit unitary gate can be approximated to arbitrary accuracy by a quantum 
circuit using only gates from that set. 


Theorem 4.2.2 states that for any two non-parallel axes | and m of the Bloch 
sphere, the set consisting of the rotation gates R)(G) and R»(y) for all 
8,7 € (0,27) is universal for 1-qubit gates. This implies the following corollary 
(see Exercise 4.3.2). 


Theorem 4.3.5 If a set of two 1-qubit gates (rotations) G = {Ri(3), Rm(y)} 
satisfies the conditions 


(i) | and m are non-parallel axes of the Bloch sphere, and 
(ii) B,y € [0,27) are real numbers such that g and + are not rational 


then G is universal for 1-qubit gates. 


Exercise 4.3.2 Let Rm(61), Rm(02) be 1-qubit rotations about the same axis. 


(a) Show that distance between R»(91) and Rm(62) satisfies E(Rm(A1), Rm(02)) < 
|e" ae 2°92 | < |01 = 62|. 


(b) Let 6 € [0, 277) is such that 8 is not rational. Prove that for any e > 0, and for any 
6 € [0, 27), there exists an integer n such that E( RF, (3), Rm(0)) < e. 


Hint: Use the pigeon-hole principle, which states the following. If N > M, then par- 
titioning N elements into M disjoint sets, gives at least one set with more than 1 
element. 


As a concrete example, we give a simple set satisfying the conditions of Theo- 
rem 4.3.5. In this direction, we first take a short detour to introduce two impor- 
tant 1-qubit gates. 


The Hadamard gate, H, is defined as that gate mapping the computational basis 


states as follows: 


?Recall that for reversible classical computation, 1- and 2-bit reversible gates were not 
universal. 
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H\0) = 45(\0) + |1)) 
H\1) = 35(l0) —|1)). (4.3.4) 


The Hadamard gate has the following matrix representation (with respect to the 
computational basis): 


ais). (4.3.5) 


One useful property of the Hadamard gate is that it is self-inverse, meaning 
H = H™!, and so 


H(5(l0) + 1))) = 0) 
H(5(l0) - [1))) = 1). (4.3.6) 


Another 1-qubit gate that will be important for us is the $-phase gate, T, which 
acts on the computational basis states as follows: 


T|0) = |0) 
T\1) =e%4|1). (4.3.7) 


The {-phase gate has the following matrix representation: 


1 0 
T= a a : (4.3.8) 
Note that T is equivalent to 
e's 
| 0 a (4.3.9) 


(up to global phase), which is why we call it a {-gate. 
The following result holds. 


Lemma 4.3.6 The set G= {HTHT,THTH} satisfies the conditions of Theo- 
rem 4.3.5. 


This immediately gives the following corollary. 
Corollary 4.3.1 The set {H,T} is universal for 1-qubit gates. 
Recalling Lemma 4.3.3, we now have the following universality result. 


Theorem 4.3.7 The set {CNOT, H,T} is a universal set of gates. 


4.4 Efficiency of Approximating Unitary Transformations 


In the previous section, we have stated that an arbitrary unitary transformation 
can be simulated using gates from a fixed universal set, such as {H, CNOT, T} 
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(Theorem 4.3.7). We have said nothing about how efficiently this can be done 
however. If we wish to implement a given unitary transformation U (correspond- 
ing to some computation), we would be interested in being able to do this using 
a polynomial number of gates from our universal set. Here, ‘polynomial’ is taken 
to mean ‘polynomial in 1 and in the number of qubits n’, where e¢ is the desired 
quality of the estimate of U. 


In fact, most unitary transformations cannot be efficiently approximated using 
gates from our universal set; this can be shown by counting arguments (since 
there are many more transformations than efficient circuits). 


The difficulty in efficiently implementing some unitary transformations does not 
lie in the complexity of simulating arbitrary 1-qubit gates from a finite set of 
1-qubit gates, since the decomposition described in Exercise 4.3.2 can be done 
in time polynomial in + provided n-bit approximations® of all the coefficients 
of the gates can be computed in time polynomial in n. A result known as the 
Solovay—Kitaev theorem promises that we can do much better and find a set G 
of 1-qubit gates such that any arbitrary 1-qubit gate can be approximated to 
arbitrary accuracy using a sequence of a poly-logarithmic number of gates from 
G. In other words, if we want to approximate a given unitary with error less than 
€, we can do so using a number of gates that is polynomial in log (+). 


It is worth discussing some of the consequences of the Solovay—Kitaev theorem. 
Suppose we are given a quantum circuit consisting of several CNOT gates, and m 
1-qubit gates, and we wish to approximate this circuit using only gates from the 
universal set {CNoT}UG. Suppose we approximate each 1-qubit gate in the cir- 
cuit with error at most <. Then the overall error in the approximation of the 
circuit is bounded by e (recall Equation 4.3.3). So, if we want to approximate 
the circuit using only gates from our universal set {CNOT}U G, and if we want 
the total error in the approximation to be at most €, we should aim to approx- 
imate each 1-qubit gate in the circuit with error at most =~. We are now faced 
with the following question of efficiency: ‘how many gates from G are required 
to approximate each 1-qubit gate with error at most =?’ A special case of the 
Solovay—Kitaev theorem answers this question. 


Theorem 4.4.1 (Solovay—Kitaev) If G is a finite set of 1-qubit gates satisfying 
the conditions of Theorem 4.3.5 and also 


1 


(iii) for any gate g € G, its inverse g~~ can be implemented exactly by a finite 


sequence of gates in G, 


then any 1-qubit gate can be approximated with error at most € using O (log® (4)) 
gates from G, where c is a positive constant. 


3By n-bit approximation, we mean a rational approximation of the form on with error at 


1 
most an: 
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Thus, according to the Solovay—Kitaev theorem, any l-qubit gate can be ap- 
proximated with error at most - using O (log® ()) gates from a finite set G 
that is universal for 1-qubit gates, and that contains its own inverses (or whose 
inverses can be constructed exactly from a finite sequence of gates from G). It 
is worth noting that if n-bit approximations of the coefficients of the gates in G 
can be computed in time polynomial in n, then the efficient decompositions can 
be found in time polynomial in log(4). 


Notice that the set {H,T} satisfies these conditions. For a circuit having m 
1-qubit gates, the approximation of these gates requires at most 


O (mlog® (=)) (4.4.1) 


gates from a universal set. This is a poly-logarithmic increase over the size of the 
original circuit. 


4.5 Implementing Measurements with Quantum Circuits 


In this section we examine how quantum circuits diagrams can be used to de- 
scribe and implement the various types of quantum measurements described in 
Section 3.4, using only measurements of qubits with respect to the computational 
basis, and a universal set of unitary gates (for simplicity, in this section, we will 
assume that we can implement any unitary operation exactly). 


After some examples of measuring simple two-state systems, we stated Postulate 
4 in terms of a Von Neumann measurement with respect to some orthonormal 
basis B = {|y,;)}. Such ‘complete’ projective measurements are used commonly 
in quantum computing and quantum communication. In the next section, the 
superdense coding and quantum teleportation protocols will rely on the ability 
to perform certain Von Neumann measurements. 


Given an orthonormal basis |y;), suppose we have a state |W), which we write 
in this basis: 
lv) = S- ajly;). (4.5.1) 
J 


Recall that a Von Neumann measurement of |7) with respect to the basis {|p;)} 
is described by the orthogonal projectors {|y;)(p;|}, and will output the result 
‘7’ with probability 


Tr(lb) (Iles) eal) = Teel) les) 
= (esl) bly;) 
= |(eslb))? 
= |a,|’. (4.5.2) 


Given a device that will measure individual qubits in the computational basis, 
we can use a quantum circuit to implement Von Neumann measurements of 
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225 O51%5) U 7 —u |Y;) 


i] 


With probability |a,; 


Fig. 4.8 Circuit implementing a Von Neumann measurement with respect to the basis 
{|¢;)}. First U is applied to perform a basis change to the computational basis. Then 
a measurement is made in the computational basis, obtaining a specific (classical) 
outcome ‘7’ with probability |a;|?. The state of the system after this measurement is |7). 
Finally U—! is applied to change back to the {|2);) }-basis, leaving the post-measurement 
state |~;). 


@ 
5 Os1%5) U i Ut ly;) 
X | 
}000) xX ky 
xX I) A 


With probability lo; |? 


Fig. 4.9 Another circuit implementing the Von Neumann measurement. This time 
instead of directly measuring the state after the basis change effected by U, the mea- 
surement result is written to an ancillary register, creating the state >), a;|7)|j). The 
inverse basis change U~' leaves the state >, |¢;)|9). A measurement of the ancillary 
register in the computational basis gives the result ‘j’ with probability |a;|? and leaves 
the main register in the state |@;). 


a multi-qubit register with respect to any orthonormal basis {|y,;)}. This can 
be done as follows. First, we construct a quantum circuit that implements the 
unitary transformation 


U\ps) = |) (4.5.3) 


(where the index j is assumed to be written in n-bit binary, |j) is the corre- 
sponding n-qubit computational basis state). The operator U performs a basis 
change from the {|y;)}-basis to the computational basis. Given a general state 
>; 2/93), we use the circuit to perform the basis change U, and then make 
a measurement of the register in the computational basis. Finally, we perform 
the inverse basis change U~+ (by running the circuit for U backwards, replacing 
each gate by its inverse). This network is shown in Figure 4.8. An alternative 
approach is illustrated in Figure 4.9. In the alternative approach, we do not di- 
rectly measure the state (with respect to the computational basis) after the basis 
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i) Hl} 


i) x Biz) 


l~1) v2) |s) 


Fig. 4.10 A circuit implementing a basis change from the computational basis to the 
Bell basis. 


change, but instead we ‘copy’* the values onto an ancillary register, which we 
then measure in the computational basis. 


As an example of how to implement the unitary basis change U, suppose we want 
to implement a Von Neumann measurement of a 2-qubit state, with respect to 
the orthonormal basis {|Go0), |Go1), |F10), |G11) } where 


|800) = 75100) + Zsl11) — 801) = Yg|01) + 3/10) 
G10) = Jxl00) — F511) B11) = Jyl01) — Jy 10). (4.5.4) 


This basis is known as the Bell basis, and the four states |o0), |Go1), | G10); |B11) 
are called the Bell states (also called EPR pairs). These states arise often in 
the study of quantum computation. A circuit that implements the basis change 
from the computational basis to the Bell basis is shown in Figure 4.10 (for the 
basis change from the Bell basis to the computational basis, we could run this 
circuit backwards). Suppose the input to the circuit in Figure 4.10 is the basis 
state |y1) = |00). Consider the state as it passes through the circuit. After the 
Hadamard gate, the state is 


lyv2) = J5(I0) + |1))|0) (4.5.5) 
= a (00) + |10)). (4.5.6) 


Note that the order of the qubits has been maintained in the above. Next, the 
controlled-NOT gate transforms this state into 


|\¢3) = Yq (100) + |11)). (4.5.7) 


We have |y~3) = |Go0), and so we have verified that the circuit performs the basis 
change correctly on the input state |00). Similarly, the circuit performs the basis 
change correctly for the remaining three computational basis states |01),|10), 
and |11), transforming them to |o1),|Gi0), and |11), respectively. 


In order to implement a ‘Bell measurement’ (i.e. a Von Neumann measurement 


with respect to the Bell basis), one could implement the circuit in Figure 4.9 


4By ‘copy’ we mean that we perform the reversible (unitary) transformation that copies 
computational basis states. We are not cloning arbitrary superpositions. 
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7 ~ Sal 


Fig. 4.11 A measurement with respect to the Bell basis can be implemented by the 


above circuit. Here we assume that we discard (or ignore) the resulting quantum state, 
and only output one of four labels 00, 01, 10, or 11 indicating the measurement outcome. 
Note that these two measurements are only equivalent in terms of their net result. In 
general, a Bell measurement does not require implementing a CNOT gate. 


backwards, measure in the computational basis, and then apply the circuit in 
Figure 4.9 forwards again. If we only care about the classical measurement out- 
come, labelled by two bits 00,01, 10, or 11, then we do not need to implement the 
Bell basis change again after the measurement. This equivalence is illustrated in 
Figure 4.11. 


It will be very important for quantum computing, in particular for quantum 
error correction, to be able to implement general projective measurements, and 
not complete Von Neumann measurements. Consider a projective measurement 
with respect to the decomposition 


I= >. P,, (4.5.8) 
where P; has rank r;. In other words 
B= >) Wag eg 
j=l 


where the the states {|q;,;)} are an orthonormal basis for the Hilbert space of 
dimension N = )0, rj. 


Let Up be a circuit that maps |q);,;)|0) > |¢~i,j) |i). One way (but not the only 
way) to implement Up is to perform a basis change U : |wj,;) + |t, 7), ‘copy’ 7 
to the ancilla register, and then apply U~!. 


As an example, we consider a collection of projectors that are already diago- 
nal in the computational basis, the parity projectors Po and P, (defined earlier 
in Section 3.4). Any input state |~) = >>, G:|z) can be rewritten as 
Ih) = aolPo) + ai|¥1), where (Yo|y1) = 0, a = VW (Y|Pilp), and |yi) = Pilv 
(as shown in Exercise 3.4.1). A parity measurement should output ‘0’ and the 
state |Wo) with probability |ao|? and output ‘1’ and the state |y1) with proba- 
bility jai|?. 


One can implement Up with a sequence of CNOT gates, as illustrated in Figure 
4.12. Thus after the Up circuit, we have the state 
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|21) @ 21) 


|a2) @ £2) 


|x3) ' #3) 
|0) xX xX xX ®1 Or x3) 


Fig. 4.12 A circuit computing the parity of three qubits. 


j | With probability |a,|? 
I) e f |v) be {0,1} 


X AX AX |b 


Fig. 4.13 A circuit implementing a parity measurement. 


Yl acl|z)|parity(z))= S7  azla)|0)+ S$) aela)|t) 


parity(x)=0 parity(“)=1 


= ao|vo)|0) + a1|y1)|1). 


Thus measuring the ancilla qubit will leave the first register in the state |W) 
with probability |a@o|? and in the state |%1) with probability |a,|?, as required. 
Therefore, this circuit will implement a parity measurement on an arbitrary 3- 
qubit state, as depicted in Figure 4.13. 


It is worth emphasizing what differentiates this projective parity measurement 
from a Von Neumann measurement followed by classical post-processing to com- 
pute the parity. The projective measurement measures only the parity of the 
strings in the quantum state, and no other information, leaving one of the super- 
position states |Wa) or |W). A complete Von Neumann measurement would have 
extracted more information than needed, and we would have been left with a 
random basis state |a) of a specific parity instead of a superposition of all strings 
with the same parity. 


We have introduced the basic building blocks of quantum circuits and presented 
circuit diagrams as a useful tool for describing quantum circuits and quantum op- 
erations in general. The remaining chapters will show how to construct quantum 
circuits to implement quantum protocols and algorithms. The quantum algo- 
rithms will be described in terms of uniform families of acyclic quantum circuits, 
where by uniform we mean that a classical computer can produce the quantum 
circuits in time polynomial in the size of the circuit. 
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SUPERDENSE CODING 
AND QUANTUM 
TELEPORTATION 


We are now ready to look at our first protocols for quantum information. In this 
section, we examine two communication protocols which can be implemented 
using the tools we have developed in the preceding sections. These protocols 
are known as superdense coding and quantum teleportation. Both are inherently 
quantum: there are no classical protocols which behave in the same way. Both 
involve two parties who wish to perform some communication task between them. 
In descriptions of such communication protocols (especially in cryptography), it 
is very common to name the two parties ‘Alice’ and ‘Bob’, for convenience. We 
will follow this tradition. We will repeatedly refer to communication channels. 
A quantum communication channel refers to a communication line (e.g. a fiber- 
optic cable), which can carry qubits between two remote locations. A classical 
communication channel is one which can carry classical bits (but not qubits).1 
The protocols (like many in quantum communication) require that Alice and 
Bob initially share an entangled pair of qubits in the Bell state 


\Goo) = Jy (100) + |11)). (5.0.1) 


The above Bell state is sometimes referred to as an EPR pair. Such a state would 
have to be created ahead of time, when the qubits are in a lab together and can 
be made to interact in a way which will give rise to the entanglement between 
them. After the state is created, Alice and Bob each take one of the two qubits 
away with them. Alternatively, a third party could create the EPR pair and give 
one particle to Alice and the other to Bob. If they are careful not to let them 
interact with the environment, or any other quantum system, Alice and Bob’s 
joint state will remain entangled. This entanglement becomes a resource which 
Alice and Bob can use to achieve protocols such as the following. 


1Often the term ‘channel’ is used to refer to the mathematical transformation that occurs 
on bits or qubits when undergoing a general quantum operation. We will use this term in this 
sense in Chapter 10. 
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5.1 Superdense Coding 


Suppose Alice wishes to send Bob two classical bits of information. Superdense 
coding is a way of achieving this task over a quantum channel, requiring only 
that Alice send one qubit to Bob. Alice and Bob must initially share the Bell 
state 


Boo) = Jy (100) + |11)). (5.1.1) 


Suppose Alice is in possession of the first qubit and Bob the second qubit. Alice 
performs one of four 1-qubit gates, depending on the 2 classical bits she wishes 
to communicate to Bob. For convenience, we remind you again of the definitions 


of the Pauli gates: 
_ {10 — |O1 
=f] x= Py 12) 
_ |0-2 _ |1 0 
Y= F Al Z= f =| : (5.1.3) 


If Alice wishes to send the bits 00 to Bob, she does nothing to her qubit (or 
equivalently, applies the identity gate I). If she wishes to send 01, she applies 
the X gate to her qubit. If she wishes to send 10, she applies the Z gate; and 
if she wishes to send 11, she applies Z- X (i.e. she applies the X gate followed 
by the Z gate). The following list summarizes the resulting joint 2-qubit state 
in each case: 


Tosend Transformation 


00 Pel: <5 (00) + |11)) + Js (100) + |11)) = |o0) 
01 X@I: 5 (00) +|11)) 4 a ( 01) + |10)) = |Go1) 
10 Z@I: Fz (|00) + |11)) + Fy (100) — |11)) = |Gr0) 
11 Z-X @I: F;(|00) + |11)) + Jy (101) — |10)) = |611) 
You should verify the above states. After applying the appropriate gate, Alice 


sends her qubit to Bob. Then Bob is in possession of one of the four Bell states, 
depending on the classical bits Alice wished to send to him. Bob can now sim- 
ply perform a measurement of the joint 2-qubit state with respect to the Bell 
basis (i.e. the basis {|G00), |o1), |G10), |G11) })- Such a measurement can be im- 
plemented as described in Section 4.5 by first performing a change of basis to 
the Bell basis, and then performing a measurement in the computational basis 
(illustrated in Figure 4.11). 


The outcome of the Bell measurement reveals to Bob which Bell state he pos- 
sesses, and so allows him to determine with certainty the two classical bits Alice 
wanted to communicate to him. The superdense coding protocol is illustrated in 
Figure 5.1. 
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a b 
VA 
AZ 
: Alice 
(00) + |11)) 
Bob Be | 2 


Fig. 5.1 The superdense coding protocol in which Alice sends two bits of classical 
information by sending one physical qubit to Bob. Alice and Bob initially share an 
EPR pair J (00) + 11)). Alice applies the operation Ua, = Z°X* depending on the 
classical bits a,b that she wishes to send. After sending her qubit to Bob, he measures 
his pair of qubits in the Bell basis. This measurement gives Bob the two values ‘a’ and 
‘b’ corresponding to the Bell state |3.,) in his possession. 


5.2 Quantum Teleportation 


For quantum teleportation, the scenario is that Alice wishes to communicate the 
state of a qubit to Bob. Suppose Alice only has a classical channel linking her 
to Bob. To send the state of a qubit exactly, it would seem that Alice would 
either have to send the physical qubit itself, or she would have to communicate 
the two complex amplitudes with infinite precision. However, if Alice and Bob 
possess an entangled state this intuition is wrong, and a quantum state can be 
sent exactly over a classical channel. 


Teleportation is a protocol which allows Alice to communicate the state of a 
qubit exactly to Bob, sending only two bits of classical information to him. Like 
superdense coding, teleportation requires that Alice and Bob initially share the 
Bell state 


Goo) = J (100) + |11)). (5.2.1) 


Suppose Alice wants to teleport the state |~) = ao|0) + ai|1) to Bob. Then, the 
circuit shown in Figure 5.2 implements the teleportation protocol, and transmits 
the state |¢) from Alice to Bob. 


The 3-qubit state possessed jointly by Alice and Bob is initially 


|) S00). (5.2.2) 


Notice that by regrouping the qubits (but keeping them in the same order), this 
state can be written as 


4)|B00) = 51800) |b) + $1601) (X]b)) + §1F10)(Z])) + 51G11)(XZ|p)). (5.2.3) 


Alice makes a measurement of the first two qubits in the Bell basis. The joint 
Alice-Bob state after this measurement is one of 
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= (00) + |11)) v v 


XFZ Iv) 


Fig. 5.2 A circuit implementing quantum teleportation. The top two lines represent 


Alice’s qubits, and the bottom line represents Bob’s qubit. Initially, Alice is in pos- 
session of the state |W), and she shares an EPR pair with Bob. Alice performs a joint 
measurement of |y») and her half of the EPR pair in the Bell basis. She sends the result 
of this measurement (classical bits, a and b) to Bob over a classical channel (shown in 
the figure as dashed arrows). The values of a and 6 are used to control the operations 
Bob performs on his qubit. After Bob performs his final operation, his qubit is left in 
the state |). 


|800) |), (5.2.4) 
|801)(X|v)), (5.2.5) 
|P10)(Z|)), (5.2.6) 
|P11)(XZ|p)), (5.2.7) 


each with probability i. The classical bits a and b resulting from Alice’s mea- 
surement indicate which of the four states is obtained. When Alice sends these 
two bits to Bob, he learns whether his qubit is left in the state |W), X|w), Z|), 
or X Z|). Depending on which state he has (i.e. depending on the values of the 
classical bits, a and b), Bob performs one of the following operations to transform 
his state into |~). 


Exercise 5.2.1 Prove that 


|2b)|800) = 51600) |) + 51/801) (X |b) + 5|F10)(Z]p)) + 51Gr1)(XZ|h)). (5.2.8) 


M,,M2 Bob performs 


0,0 i ag|0) + ay |1) + agl0) + ai|1) = |v) 
0,1 X ag|1) + a1|0) +> ag|0) + ai|1) = |v) 
1,0 Zs ag|0) — ay|1) + agl0) + ai|1) = |e) 
it Z+X: ag|1) — a4|0) +> a|0) + ar|1) = |) 
So Bob conditionally applies Z and X to his qubit (classically) conditioned on 
the values a and b, respectively. After this transformation, Bob is guaranteed to 
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have the state |7), and so the state has been successfully teleported from Alice 
to Bob. Note that it is somewhat remarkable that Alice could send a quantum 
state exactly to Bob without actually sending any quantum information; she 
only needs to send 2 bits of classical information! 


Teleportation provides a beautiful illustration of the power of entanglement as 
a resource for quantum computing and quantum communication. It allows us to 
replace the task of sending a qubit with the task of establishing one EPR pair 
of entanglement, sending two classical bits and performing a local Bell measure- 
ment. Establishing the EPR pair can be attempted repeatedly until successful, 
without damaging the state to be teleported. Sending classical bits does not 
require a quantum communication channel. Bob can also perform his Bell mea- 
surement without a quantum channel to Alice. So teleportation is a powerful 
tool for moving quantum information between locations that may be separated 
by a long distance. 


5.3. An Application of Quantum Teleportation 


Quantum teleportation turns out to have an interesting and remarkable appli- 
cation to quantum circuits. As we have seen, to implement quantum circuits in 
general, we need to have access to a universal set of quantum gates. Such a set 
always includes at least one gate that acts on two qubits. The CNOT gate is a 
common choice. It is often much more difficult technologically to implement gates 
that act on more than one qubit, since controlling coupled quantum systems is 
very challenging. It may be that a particular implementation of the CNOT gate 
is not perfect, but fails some of the time. If a CNOT gate fails in the middle of 
some long computation, the state of the qubits on which it was acting will be 
corrupted. Without some form of error correction, this will lead to an unreliable 
result for the computation. 


One way around this problem might be to create a copy of the state we would 
like to apply the CNOT gate to, and keep the copy in a safe place. If the CNOT 
gate fails, then we can simply make another copy for safe keeping, and try the 
CNOT again. Unfortunately, this is impossible, by a result known as the no- 
cloning theorem, which says that it is impossible to implement a circuit that 
will perfectly copy an unknown quantum state. We will examine the no-cloning 
theorem in more detail in Section 10.4.2. 


What we would like is a way of non-destructively applying the CNOT gate 
so that if it fails the quantum state of the relevant qubits is not corrupted, 
and we can simply try the CNOT gate again. Quantum teleportation gives us 
a way of doing this, provided we have the ability to prepare a Bell state, to 
do single bit rotations, and to measure Bell states directly. This scheme trans- 
forms the technological problem of implementing a CNOT gate into the 
technological problem of creating an entangled state. It is illustrated in the 
sequence of Figures 5.3-5.7. We wish to perform a CNOT gate between a control 
qubit in the state ao|0) + ai|1) and a target qubit in the state yo|0) + y1|1). 
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Fig. 5.3 Teleportation circuits to teleport the states ao|0) + a1|1) and yo|0) + y1|1). 
Note that the state of the two logical qubits is unaffected by this circuit, and so can 
be viewed as an implementation of the identity operation. 


a|0) + a]1) M 


a9 |00) +0971 |01) 
+aYo|11)+a171|10) 


0) Ff q = a Ma 


010) + yal) PN Ms” 


Fig. 5.4 A CNOT gate between the pair of teleported states. The overall effect on the 
state of the two logical qubits is the CNOT operation. 


This could be done directly but at the risk of corrupting the quantum in- 
formation when the gate fails. Instead, we can use two teleportation proto- 
cols: one for the control bit and the other for the target one, as shown in 
Figure 5.3. 


In Figure 5.4, we apply the CNOT gate to the teleported states. 


Figure 5.5 illustrates the ‘trick’. We can add a pair of CNOT gates to the middle 
two qubits as shown. This does not change the overall behaviour of the circuit, 
since the combined effect of the two CNOT gates on those qubits is the identity. 
We can regroup the CNOT gates, as shown by the dashed boxes in Figure 5.5. 
It is easy to check that the effect of the portion ofthe circuit in the first (left) 
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Fig. 5.5 A pair of CNOT gates added to the circuits. Notice that the pair of CNOT 
gates has no net effect. 
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Fig. 5.6 The pair of CNOT gates can be removed if we modify the classical logic 
controlling the application of the X and Z gates. 


dashed box is to create the 4-qubit entangled state 


|0000) + |0011) + |1110) + |1101) 
) 


Consider the portion of the circuit in the second (right) dashed box. The only im- 
pact of the CNOT gates is to alter the conditions on which the X and Z gates are 
applied separately to the two qubits. For example, if M, = 0, Mz = 0, M3 = 1, 
and M, = 0, the effect of the circuit in the dashed box is the same as ap- 
plying Z separately to both qubits. For any combination of M,, M2, M3, Mg, 
the desired effect can be achieved by applying some appropriate combination 
of X and Z gates individually to the two qubits in the dashed box. So this 
means we can remove the CNOT gates from this dashed box if we appropri- 
ately modify the classical logic controlling the X and Z gates. This is shown 
in Figure 5.6. 


TEAM LinG 


AN APPLICATION OF QUANTUM TELEPORTATION 85 


4 
a0) + B]1) 
Machine " " xX Z 
oe stat viv , i 
for creating the state aasSical Rene? ay|00) +a6|01) 
|0000) +0011) +1110) +|1101) logic fe 5 “A ‘ 
2 AK = Y) + By|11)+6|10) 
- BELL) 
70) + 6|1) NN 


Fig. 5.7 A circuit for applying a CNOT gate between two qubits in a quantum com- 
putation, without risking destroying the state of the two qubits if the CNOT gate fails. 


Exercise 5.3.1 Derive the ‘classical logic’ in Figure 5.6 (i.e. specify the mapping 
Mi, M2, Ms, Ms Lad Mi, Mg, M3, M, 


for all values of Mi, Mz, M3, Ma). 


Note that we are only requiring a Bell measurement that provides the classical 
outcomes M;, Mz. As we mentioned in the caption of Figure 4.11, a Bell mea- 
surement does not require implementing a CNOT gate. We also do not need the 
resulting Bell state GM, Mz and thus the implementation of this measurement 
could for example destroy the Bell state in the process of measurement. 


Notice that the first dashed box in Figure 5.6 makes use of CNOT gates. It is 
easy to verify that the effect of the circuit in this dashed box is only to create 
the state 
|0000) + 0011) + |1110) + |1101) 
2 


It suffices to have some machine that generates the above state, and some means 
of verifying that it has succeeded. Even though this machine uses CNOT gates, 
the point is that if it fails to create the state (5.3.1), our verification procedure 
will tell us this, and we can try the machine again with four freshly prepared 
qubits in the state |0). So in Figure 5.6, we replace the first dashed box with a 
generic machine for creating the state 5.3.1, which we assume will also contain 
a procedure for verifying that the state has been successfully created. 


, (5.3.1) 


With the modifications described above, a circuit for implementing the CNOT 
gate on two qubits is shown in Figure 5.7. 
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INTRODUCTORY 
QUANTUM ALGORITHMS 


In this chapter we will describe some of the early quantum algorithms. These 
algorithms are simple and illustrate the main ingredients behind the more useful 
and powerful quantum algorithms we describe in the subsequent chapters. 


Since quantum algorithms share some features with classical probabilistic algo- 
rithms, we will start with a comparison of the two algorithmic paradigms. 


6.1 Probabilistic Versus Quantum Algorithms 


Classical probabilistic algorithms were introduced in Chapter 1. In this section 
we will see how quantum computation can be viewed as a generalization of 
probabilistic computation. 


We begin by considering a simple probabilistic computation. Figure 6.1 illustrates 
the first two steps of such a computation on a register that can be in one of the 
four states, labelled by the integers 0,1,2, and 3. Initially the register is in the 
state 0. After the first step of the computation, the register is in the state j with 
probability po,;. For example, the probability that the computation is in state 
2 after the first step is po,2. In the second step of the computation, the register 
goes from state 7 to state k with probability q;,. For example, in the second 
step the computation proceeds from state 2 to state 3 with probability qo,3. 


Suppose we want to find the total probability that the computation ends up in 
state 3 after the second step. This is calculated by first determining the proba- 
bility associated with each computation ‘path’ that could end up at the state 3, 
and then by adding the probabilities for all such paths. There are four compu- 
tation paths that can leave the computation in state 3 after the first step. The 
computation can proceed from state 0 to state 7 and then from state 7 to state 
3, for any of the four 7 € {0,1,2,3}. The probability associated with any one 
of these paths is obtained by multiplying the probability po,; of the transition 
from state 0 to state 7, with the probability q;,3 of the transition from state 7 to 
state 3. The total probability of the computation ending up in state 3 is given 
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Fig. 6.1 A classical probabilistic computation acting on a register that can be in 
one of four states labelled 0,1,2,3. The po,; are the probabilities for the computation 
proceeding from state 0 to state j in the first step. The q;,x represent the probabilities 
for the computation proceeding from state 7 to state k in the second step. 


Fig. 6.2 The classical probabilistic computation viewed in a quantum setting. The 
transition probabilities as squared norms of quantum probability amplitudes. We have 
Po,j = |0,j|° and qj,n = |8;,x|?. This can be viewed as a quantum computation in 
which the state is measured after each step. 


by adding these four possibilities. So we have 


prob(final outcome is 3) = S > P0,54).3- (6.1.1) 
J 


Another way of looking at this computation is to suppose the register con- 
sists of two qubits, and let the labels 0,1,2,3 refer to the four basis states 
|00),|01),|10),|11), respectively. Then view each of the transition probabilities 
as a squared norm of a quantum probability amplitude, so that po,; = |ao,;|? 
and q;,x = |3;,n|”. This approach is shown in Figure 6.2, which can be viewed as 
a quantum computation in which the state is measured after each step. 


If we measured the state (in the computational basis) immediately after the first 
step of the computation, the probability associated with outcome 2 would be 


prob(measurement after first step gives 2) = |ao,2|7 = po. (6.1.2) 
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Fig. 6.3 A fully quantum computation. Here the state is not measured until after the 
second step. 


As before, the total probability of measuring outcome 3 after the second 
step is 


prob(final outcome is 3) = S- loo, g|7183,3/7 (6.1.3) 
J 

= S- |a0,534,3l" (6.1.4) 
J 


which is the same probability as in Equation 6.1.1. 


In this example, since we assume that the state is measured after each step, we 
would know the intermediate state 7, and thus we would know which computation 
path leading to the final state 3 was taken. The total probability of arriving at 
the final state 3 is determined by adding the squared norm of the probability 
amplitude ao,;3;,3 associated with each path (i.e. we add the probabilities for 
the four paths, and not the probability amplitudes). 


In a fully quantum algorithm, we would not measure the state immediately 
after the first step. This way the quantum probability amplitudes will have a 
chance to interfere. For example, some negative amplitudes could cancel with 
some positive amplitudes, significantly affecting the final probabilities associated 
with a given outcome. A quantum version of the algorithm above is illustrated 
in Figure 6.3. 


This time the calculation of the total probability associated with outcome 3 in 
the measurement after the second step is different. Since there is no measurement 
after the first step of the computation, we do not learn the path taken by the 
computation to the final state 3. That is, when we obtain the output 3, we will 
have no information telling us which of the four paths was taken. In this case, 
instead of adding the probabilities associated with each of these four paths, we 
must add the probability amplitudes. The probability of a measurement after 
the second step giving the result 3 is obtained by taking the squared norm of 
the total probability amplitude. 
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prob(final outcome is 3) = S- a0, j3;,3| - (6.1.5) 
j 


Note the difference between Equations 6.1.4 and 6.1.5. In Exercise 6.1.2 you 
will examine sets of probability amplitudes for which the two equations give 
drastically different results. 


Exercise 6.1.1 The transition probabilities q;,; of the classical probabilistic algorithm 
illustrated in Figure 1.1 form a 4 x 4 stochastic matrix for which }°, q:,; = 1 for every j. 


(a) Prove that for any unitary matrix U = [ui,;], the matrix S = [|wi,; 7] is a stochastic 
matrix. 


(b) Prove that not all stochastic matrices can be derived from a unitary U as described 
in the previous exercise. 


Note that this means that not all classical probabilistic algorithms can be simulated 
by quantum algorithms in the way that is described in this section. However, the next 
exercise shows a simple way in which a quantum algorithm can simulate any classical 
probabilistic one. 


(c) Show how a classical probabilistic transition on an M-state system can be simulated 
by a quantum algorithm by adding an additional M-state ‘ancilla’ system, applying a 
unitary operation to the joint system, and then measuring and discarding the ancilla 
system. 


Exercise 6.1.2 


(a) Describe complex numbers a;, 1 = 0,1,..., N — 1 satisfying 
2 
S- las]? = land So ai =0. 
(b) Describe complex numbers a;, i = 0,1,..., N — 1 satisfying 
2 
= lt: 


S- ja;|? = x and 


dia 
i 


Quantum interference has already been seen in Section 1.6 where we examined 
the photon and beam-splitter apparatus. We can revisit this example in the lan- 
guage of quantum circuits to provide a concrete example of interference in a 
quantum computation. Consider the quantum circuit in Figure 6.4. This circuit 
does not perform a purely quantum computation, because we make a measure- 
ment immediately after the first Hadamard gate (recall the definition of the 
Hadamard gate H, from Section 4.3). 
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Fig. 6.4 A quantum circuit exhibiting no quantum interference. 
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Fig. 6.5 A quantum circuit exhibiting interference. 


The state |¢1) immediately after this measurement is 


os |0) with probability $ site 
"~~ | |1) with probability 4. a 
2 
The state immediately after the second Hadamard gate is then 
re 5(|0) + |1)) with probability 3 one 
a (0) —|1)) with probability 3. A. 


In either case, the final measurement will give the result 0 or 1 with equal prob- 
ability. 


Compare the above with the quantum circuit shown in Figure 6.5. This time 
there is no measurement after the first Hadamard gate, and the application of the 
second Hadamard gate will give rise to interference in the quantum amplitudes. 
The state immediately after the first Hadamard gate is 


1 
v1) = 0 i Va 


This state is input directly to the second Hadamard gate, and the state after the 
second Hadamard gate is 


|1). (6.1.8) 


lea) = # (0) + ht) (6.1.9) 
= 5H) 4: <aHt) (6.1.10) 
hCG) a(n) ean 

= 50) | aD | 50) 5) (6.1.12) 

= |0). (6.1.13) 
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The total probability amplitude associated with |1) is 0, meaning that the 
probability for the second measurement giving result ‘1’ is now 0. The second 
Hadamard gate acted on the basis states |0) and |1) in superposition, and the 
amplitudes of state |1) for the two paths in this superposition interfered, causing 
them to cancel out. 


Note that if in Figure 6.5 we replace the Hadamard gate H with the ‘square root 
of NOT’ gate, 


F | (6.1.14) 


then we are describing the photon/beam-splitter experiment we saw in 
Section 1.6. 


Classical probabilistic algorithms can be easily simulated by quantum algorithms 
(see Exercise 6.1.1 c). However, can classical probabilistic algorithms efficiently 
simulate quantum algorithms? We have seen how naively replacing each quan- 
tum gate with a probabilistic classical gate can give drastically different out- 
comes, and thus will not work in general. Simple attempts, like approximating 
the total amplitude of a given outcome by sampling a polynomial number of 
paths leading to that outcome, are also not efficient in general. However, in 
some restricted cases, such as quantum circuits using only the cNoT, H, X,Y, Z, 
and T gates (which generate what is known as the Clifford group), can be ef- 
ficiently simulated on a classical computer (this is known as the Gottesman— 
Knill theorem). If there is no entanglement, or a sufficiently small amount of 
entanglement, then there are also efficient classical algorithms for simulating 
quantum systems. However, there is no known general purpose classical algo- 
rithm for simulating quantum systems (and, in particular, quantum computers). 
This leaves open the possibility that quantum algorithms might be able to solve 
some computational problems more efficiently than any classical probabilistic 
algorithm can. 


6.2 Phase Kick-Back 


In Exercise 4.2.4 we saw how, although when described in the classical basis, 
the CNOT gate appears to do nothing to the control qubit, it can in fact affect 
the control qubit just as much as it does the target qubit. For example, in the 
Hadamard basis, the role of control and target qubit is effectively switched, for 
example, 


Pee (eo) (AF) (oF) (OP). (6.2.1) 
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Notice that (2) is an eigenvector (or eigenstate) of the X(NOT) gate with 


eigenvalue —1, and an eigenvector of the identity gate with eigenvalue +1. Since 
the CNOT applies the NOT gate to the target qubit if the first qubit is in state 


|1), we get 
CNOT: |1) (ee) r—|1) (sor (OP) (6.2.2) 
= |1) (« 1) (ee) (6.2.3) 
1) (° +) (6.2.4) 


(where the second line follows from the first axiom of tensor products that we 
saw in Section 2.6). Since the CNOT applies the identity gate (i.e. does ‘nothing’) 
to the target qubit if the first qubit is in state |0), we get 


enor: |0) (eo) 1 Jo) (CS) . (6.2.5) 


Since the target qubit is in an eigenstate, it does not change, and we can effec- 
tively treat the eigenvalue as being ‘kicked back’ to the control register. 


Note that this can be summarized as 


cNnoT: |b) (o*) > (—1)?|b) (o*) . (6.2.6) 


where b € {0,1}. When the control qubit is in a superposition of |0) and |1), we 
have 


|0) — |1) |0) — |1) 
po) + (ag|0) — ay|1)) (a) (6.2.7) 


(notice this corresponds to effecting the Z gate to the control qubit). 


CNOT: (a@|0) + a1|1)) ( 


Let us consider the effect of a more general 2-qubit gate Us implementing an 
arbitrary function f: {0,1} — {0,1} by mapping Uf: |x)|y) + |x)|y @ f(a)) (as 
we saw in Section 1.5, this mapping is reversible even though the function f may 
not itself be invertible). 
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Let us fix the target register to the state A (0) — |1)), and analyse the action 


of Uy on an arbitrary basis state in the control qubit: 


|0) — |1) Us|x)|0) — Uy|a)|1) 
Ua) ( ) ( ) (6.2.8) 
V2 J2 
_ (|2)|0® f(x)) — |x)|1 ® f(z) 
_ ( = ) (6.2.9) 
~ |0 @ f(x)) — [1 & f(x) 
=|x) ( a ) (6.2.10) 


We know that the action of ‘@f(x)’ has no effect on a single bit if f(x) = 0 
(ie. b@0 = b), and ‘@f(z)’ flips the state of the bit if f(a) = 1. 

Consider the expression a ((0 B f(x)) — |1 ® f(x))) in the two cases f(x) = 0 
and f(a) =1: 


|0 @ f(x)) — |L@ f(%)) _ 10) —|1) 
Fa Bi (6.2.11) 
|0 @ f(x)) — [1 @ f(x) _ |1) — 10) _ (® ma 
v2 v2 v2 


These two possibilities differ by a factor of (—1) which depends on the value of 
f(x). We have 


) . (6.2.12) 


lO f(z)) —|L@ F(z) _ Fle) (2 i 2) 
a (1) rae ke (6.2.13) 
So the above state can be rewritten as 
_1)f@) ne 
|x)(—1) ( Ai : (6.2.14) 
Associating the (—1)/ factor with the first qubit, we have 
0) (DSB) aya) (WE) 
Uy : |x) ( Fi ) (—1)/”’ |x) Fi : (6.2.15) 


When the control qubit is in a superposition of |0) and |1), we have 


|0) = 1) #(0) f() 0) = |1) 
Uy + (aol0) + ar)t)) (PP), —((ay/aolo) + (ay Mari»)( A), 
(6.2.16) 
We can think of Uy as a 1-qubit operator Ore) (which maps |b) + |b ® f(«))) 
acting on the second qubit, controlled by the state |x) of the first register, as 


shown in Figure 6.6. We may sometimes write c-U¢(,) instead of Us. 
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Fig. 6.6 The 2-qubit gate Uy : |x)|y) + |x)|y ® f(x)) can be thought of as a 1-qubit 
gate Us(,) acting on the second qubit, controlled by the first qubit. 


2) ee) 
10)—[1) A ray patel |o)—I0) 
2 Us (a) at 1) SF v2 ) 


Fig. 6.7 The state —. of the target register is an eigenstate of Of (2)- The eigenvalue 


(—1)? can be ‘kicked back’ in front of the target register. 


|0)=|1) 
V2 


Notice in Equation (6.2.15) that the state of the second register is an 


eigenvector of U fla): 


This technique of inputting an eigenstate to the target qubit of an operator like 
the c-U f(x)» and associating the eigenvalue with the state of the control register 
(as illustrated in Figure 6.7), will be used repeatedly in the remainder of this 
chapter and the next chapter. 


6.3. The Deutsch Algorithm 


We now look at our first quantum algorithm. The Deutsch algorithm is a very 
simple example of a quantum algorithm based on the Quantum Fouries Trans- 
form (to be defined in the next chapter). It is a good place to start, because while 
being very simple and easy to understand, the Deutsch algorithm illustrates the 
key ideas of quantum parallelism and quantum interference that are used in all 
useful quantum algorithms. 


The problem solved by the Deutsch algorithm is the following. Suppose we are 
given a reversible circuit for computing an unknown 1-bit function f : {0,1} - 
{0,1} (see Section 1.5 for a discussion of reversible circuits). We treat this 
reversible circuit as a ‘black box’ or ‘oracle’. This means that we can apply 
the circuit to obtain values of f(a) for given inputs 2, but we cannot gain any 
information about the inner workings of the circuit to learn about the function 
f. The problem is to determine the value of f(0) @ f(1). If we determine that 
f(0) ® f(1) =0, then we know that f(0) = f(1) (although we do not know the 
value), and we say that f is ‘constant’. If on the other hand we determine that 
f(0) @ f(1) = 1, then we know that f(0) 4 f(1), and we say the function is 
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‘balanced’. So determining f(0) @ f(1) is equivalent to determining whether the 
function f is constant or balanced. 


The Deutsch Problem 


Input: A black box for computing an unknown function function 


f : {0,1} — {0, 1}. 
Problem: Determine the value of f(0) @ f(1) by making queries to f. 


How many queries to the oracle for f must be made classically to determine 
f(0) ® f(1)? Clearly the answer is 2. Suppose we compute f(0) using one (clas- 
sical) query. Then the value of f(1) could be 0, making f(0) © f(1) = 0, or the 
value of f(1) could be 1, making f(0) @ f(1) = 1. Without making a second 
query to the oracle to determine the value of f(1), we can make no conclusion 
about the value of f(0) @ f(1). The Deutsch algorithm is a quantum algorithm 
capable of determining the value of f(0) ® f(1) by making only a single query 
to a quantum oracle for f. 


The given reversible circuit for f can be made into a quantum circuit, by re- 
placing every reversible classical gate in the given circuit with the analogous 
unitary quantum gate. This quantum circuit can be expressed as a unitary 
operator 


Uy : |z)|y) > |x)|y © f(x). (6.3.1) 


Having created a quantum version of the circuit for f, we can supply quantum 
bits as inputs. We define Uy so that if we set the second input qubit to be in the 
state |y) = |0), then |) = |0) in the first input qubit will give |0¢ f(0)) = |f(0)) 
in the second output bit, and |) = |1) in the first input qubit will give |f(1)). So 
we can think of |2) = |0) as a quantum version of the (classical) input bit 0, and 
|x) = |1) as a quantum version of the input bit 1. Of course, the state of the input 
qubit can be some superposition of |0) and |1). Suppose, still keeping the second 
input qubit |y) = |0), we set the first input qubit to be in the superposition 
state 


Oe Ii: (6.3.2) 


1 1 

(= a sl) |0) (6.3.3) 
1 1 

= F510) A yg vO. (6.3.4) 
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The output of Uy will be the state 


U; Gaul i Jalii0)) (6.35) 
1 1 

= ZU \0]0) + UI) (6.3.6) 
1 1 

= Z,l)]0 70)) + ZWIo@ £0) 6.3.7) 
1 1 

= ZzI1700)) + Ilo.@ FM). (6.3.8) 


In some sense, Uy has simultaneously computed the value of f on both possible 
inputs 0 and 1 in superposition. However, recalling how quantum measurement 
works from Section 3.4, if we now measure the output state in the computational 
basis, we will observe either |0)|f(0)) (with probability $), or |1)|1@ f(1)) (with 
probability 3). After the measurement, the output state will be either |f(0)) or 
|f(1)), respectively, and so any subsequent measurements of the output state 
will yield the same result. So this means that although we have successfully 
computed two values in superposition, only one of those values is accessible 
through a quantum measurement in the computational basis. Fortunately, this 
is not the end of the story. 


Recall that for the Deutsch problem we are ultimately not interested in individual 
values of f(x), but wish to determine the value of f(0) @ f(1). The Deutsch 
algorithm illustrates how we can use quantum interference to obtain such global 
information about the function f, and how this can be done more efficiently than 
is possible classically. The Deutsch algorithm is implemented by the quantum 
circuit shown in Figure 6.8. 


Note that the second input bit has been initialized to the state pe. This 
state can easily be created from the state |1) by applying a single Hadamard 
gate. We do not show this gate, however, to emphasize a certain symmetry that 
is characteristic of these algorithms. A convenient way to analyse the behaviour 
of a quantum algorithm is to work through the state at each stage of the circuit. 
First, the input state is 


|0) 
H U, H | 


}0)—|1) 
v2 


wo) 21) tho) |¢3) 


Fig. 6.8 A circuit implementing the Deutsch algorithm. The measured value equals 


f(0) ® f(1). 
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jo) =I) (AP). 6.3.) 
After the first Hadamard gate is applied to the first qubit, the state becomes 
v1) = (i+ i) (oF) (6.3.10) 
_ 1 |0) — |1) 1 |0) = 1) 
= S10) ( a )+ Sh ( Te ) (6.3.11) 


Recalling Equation (6.2.15), after applying the Uy gate we have the state 


_ 1 (oy), 1 (Jo) =) 
bo) = 5 0) ( FB )+ 5 1) ( 7 ) (6.3.12) 


(=F 0) + (=1)F|1) \ (0) = |) 
op er Oey DY iO) 
(1) ( a )( = ) (6.3.14) 


where the last equality uses the fact that (—1)/(—1)f = (-1)f@of, 
If f is a constant function (i.e. f(0) @ f(1) = 0), then we have 


Is) = (if (ee a ) (eR. Pe) (6.3.15) 


and so the final Hadamard gate on the first qubit transforms the state to 


ws) = (-1)F|0) (oF) , (6.3.16) 


The squared norm of the basis state |0) in the first qubit is 1. This means that 
for a constant function a measurement of the first qubit is certain to return the 
value 0 = f(0) @ f(1). 

If f is a balanced function (i.e. f(0) @ f(1) = 1), then we have 


[y2) = (-1)F (oF) (eo) (6.3.17) 


and so the final Hadamard gate on the first qubit transforms the state to 


pba) = yn (A) 6.2.18) 


In this case the squared norm of the basis state |1) in the first qubit is 1. This 
means that for a balanced function a measurement of the first qubit is certain 
to return the value 1 = f(0) @ f(1). So a measurement of the first qubit at the 
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0°) —H}—e—iH | 


?§ By 


Fig. 6.9 The circuit for Deutsch’s algorithm with the c-O 42) drawn instead of Ur. 
When c-U f(x) is applied, the control qubit is in a superposition of |0) and |1), which 
pick up phase factors of (1) and (1) corresponding to the eigenvalues of 
U f(a) for c = 0 and 1, respectively. The Hadamard gate followed by a measurement in 
the computational basis determines the relative phase factor between |0) and |1). 


end of the circuit for the Deutsch algorithm determines the value f(0) © f(1) 
and thus whether the function is constant or balanced. 


To gain some insight into how the Deutsch algorithm can generalize, it is help- 
ful to remember that the operator Uy: |x)|y) > |x)|y © f(#)) in the Deutsch 
algorithm can be viewed as a single-qubit operator Ore); whose action on the 
second qubit is controlled by the state of the first qubit (see Figure 6.9). The 
state (S52) is an eigenstate of Ore) with eigenvalue (—1)/(. By encoding 
these eigenvalues in the phase factors of the control qubit, we are able to deter- 
mine f(0) @ f(1) by eure the relative phase factor between |0) and |1). 


Distinguishing (Me) and (! ams ) is done using the Hadamard gate. 


We will see this technique of associating phase factors (corresponding to eigenval- 
ues) with the control register, and then using quantum interference to determine 
the relative phase, applied throughout this chapter and the next chapter. 


Exercise 6.3.1 In the Deutsch algorithm, when we consider Uy as a single-qubit 


|0)—]1) 
a 


operator u f(a)s is an eigenstate of Ora); whose associated eigenvalue gives us 


the answer to the Deutsch problem. Suppose we were not able to prepare this eigenstate 
directly. Show that if we instead input |0) to the target qubit, and otherwise run the 
same algorithm, we get an algorithm that gives the correct answer with probability 
3 (note this also works if we input |1) to the second qubit). Furthermore, show that 
with probability s we know for certainty that the algorithm has produced the correct 


answer. 
Hint: write |0) in the basis of eigenvectors of Us. 


Note: Deutsch originally presented his algorithm in terms of the Uy operator with |0) 
input to the second qubit. Shor analysed his algorithm for finding orders (factoring) 
in an analogous manner. Later, it was found that analysing these algorithms in the 
eigenbasis of a suitable controlled operator is often convenient (Appendix A.6 discusses 
this issue; the operators are usually different from the U f(a) Operators we describe 
in this exercise). Note that for many algorithms (including the algorithm for finding 
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orders, which we will see in the next section), it is not possible to implement the ‘trick’ 
of inputting a desired eigenstate directly. 


6.4 The Deutsch—Jozsa Algorithm 


The Deutsch—Jozsa algorithm solves a problem that is a straight forward gener- 
alization of the problem solved by the Deutsch algorithm. The algorithm has 
exactly the same structure. As with the Deutsch algorithm, we are given a 
reversible circuit implementing an unknown function f, but this time f is a 
function from n-bit strings to a single bit. That is, 


f: {0,1}" > {0,1}. (6.4.1) 


We are also given the promise that f is either constant (meaning f(x) is the 
same for all x), or f is balanced (meaning f(x) = 0 for exactly half of the input 
strings x, and f(x) = 1 for the other half of the inputs). The problem here is to 
determine whether f is constant, or balanced, by making queries to the circuit 
for f. 


The Deutsch—Jozsa Problem 


Input: A black-box for computing an unknown function f: {0,1}” — {0, 1}. 
Promise: f is either a constant or a balanced function. 
Problem: Determine whether f is constant or balanced by making queries to 


$s 


Consider solving this problem by a classical algorithm. Suppose we have used the 
oracle to determine f(x) for exactly half of the possible inputs x (i.e. you have 
made 2”~! queries to f), and that all queries have returned f(x) = 0. At this 
point, we would strongly suspect that f is constant. However, it is possible that 
if we queried f on the remaining 2”~! inputs, we might get f(a) = 1 each time. 
So it is still possible that f is balanced. So in the worst case, using a classical 
algorithm we cannot decide with certainty whether f is constant or balanced 
using any less than 2”~!+1 queries. The property of being constant or balanced 
is a global property of f. As for the Deutsch problem, a quantum algorithm 
can take advantage of quantum superposition and interference to determine this 
global property of f. The Deutsch—Jozsa algorithm will determine whether f 
is constant, or balanced, making only one query to a quantum version of the 
reversible circuit for f. 


Analogous to what we did for the Deutsch algorithm, we will define the quantum 
operation 


Us: |x)ly) > [x)ly ® F(x). (6.4.2) 


This time we write x in boldface, because it refers to an n-bit string. As before, 
we think of Uy as a 1-qubit operator Us(x), this time controlled by the register 
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0) —H H 
0) —— H 


» H 


10)—|1) 


U r(x) 7a 


iS 
ele 


is) 


Io) |v) v2) Iq)3) 


Fig. 6.10 A circuit for the Deutsch—Jozsa algorithm. If the measured bit string is all 
Os, then the function is constant. Otherwise, it is balanced. 


of qubits in the state |x). We can see that 10) + ) 


is an eigenstate of U f(x) with 
eigenvalue (—1)f), 
The circuit for the Deutsch—Jozsa algorithm is shown in Figure 6.10. 


Notice the similarity between the circuit for the Deutsch algorithm, and the cir- 
cuit for the Deutsch—Jozsa algorithm. In place of a simple 1-qubit Hadamard 
gate, we now have tensor products of n 1-qubit Hadamard gates (acting in par- 
allel). This is denoted H®". We use |0)®", or |0) to denote the state that is the 
tensor product of n qubits, each in the state |0). 


As we did for the Deutsch algorithm, we follow the state through the circuit. 
Initially the state is 


jbo) = lyon (PM) (6.4.3) 


Consider the action of an n-qubit Hadamard transformation on the state |0)®” 


Hoo) = (=) (Jo) +11) 00) +11) @---9 (1) +10). (6.4.4) 


n 


By expanding out the tensor product, this can be rewritten as 


H®"|9)e" == | (6.4.5) 


x€{0,1}” 


This is a very common and useful way of writing this state; the n-qubit Hadamard 
gate acting on the n-qubit state of all zeros gives a superposition of all n- 
qubit basis states, all with the same amplitude = (called an ‘equally weighted 
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superposition’). So the state immediately after the first H®” in the Deutsch— 
Jozsa algorithm is 


1 wo ( 0) =) 
= ae 2 | ( 5 (6.4.6) 


Notice that the query register is now in an equally weighted superposition of all 
the possible n-bit input strings. Now consider the state immediately after the 
Uy (equivalently the c-Us(,)) gate. The state is 


=. 4 |0) — |1) 
IW) = Tae Us Sei) (ee) 


xE{0,1}” 
== S21) [x) (OP) (6.4.7) 
x€{0,1}” 


where we have associated the phase shift of (—1)/“) with the first qubit (recall 
Section 6.2). 


To facilitate our analysis of the state after the interference is completed by the 
second Hadamard gate, consider the action of the n-qubit Hadamard gate on an 
n-qubit basis state |x). 


It is easy to verify that the effect of the 1-qubit Hadamard gate on a 1-qubit 
basis state |) can be written as 


Hz) = 5 (0) + (-1)"|1)) (6.4.8) 
1 
= — (-1)"*|z). (6.4.9) 
v2 a, 


Then we can see that the action of the Hadamard transformation on an n-qubit 
basis state |x) = |21)|@2)...|@n) is given by 


H®" |x) = H®"(\21)|ax2) +++ |an)) (6.4.10) 
25Gs\ Mae cata es (6.4.11) 
1 ry a _1)%2 ale ai —1)% 
as (10) + (—1)"|1)) Fa (10) + (—1)"*|1)) Fa (|0) + (—1)*"|1)) 
(6.4.12) 
1 


= Se. RIP eee eats a) saya |2e\y (6.418) 


n 
2122...2n€{0,1}” 
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Exercise 6.4.1 Prove that 


(@ + (=1)""(1) ) (” + conn) - (@ + Ge) (6.4.14) 


v2 V2 V2 
= = S- (—1)7271 teaz2t ten en [2 \iz0\ + lan). (6.4.15) 


2122-.-2n €{0,1}” 


The above equation above can be written more succinctly as 


He x\.= 


1 x'Z 
aa S> (-1)**\[z) (6.4.16) 
zE{0,1}” 
where x -z denotes the bitwise inner product of x and z, modulo 2 (we are able 
to reduce modulo 2 since (—1)? = 1). Note that addition modulo 2 is the same 
as the XOR operation. The state after the final n-qubit Hadamard gate in the 
Deutsch—Jozsa algorithm is 


sf es pte _1)*21,) | (=I) 
w=(— Does Y are] (SF) 


x€{0,1}” ze{0,1}” 


I 


= SS De rr lz) (CP). (6.4.17) 


ze{0,1}" \xeE{0,1}” 


At the end of the algorithm a measurement of the first register is made in the 
computational basis (just as was done for the Deutsch algorithm). To see what 
happens, consider the total amplitude (coefficient) of jz) = |0)®" in the first 
register of state |w3). This amplitude is 


i x 
ee ae. (6.4.18) 


xe {0,1}” 


Consider this amplitude in the two cases: f constant and f balanced. If f is 
constant, the amplitude of |0)®” is either +1 or —1 (depending on what value 
f(x) takes). So if f is constant, a measurement of the first register is certain to 
return all Os (by ‘all Os’ we mean the binary string 00---0). On the other hand, if 
f is balanced, then it is easy to see that the positive and negative contributions 
of the amplitudes cancel, and the overall amplitude of |0)®" is 0. So if f is 
balanced, a measurement of the first register is certain not to return all Os. So 
to determine whether f is constant or balanced, the first register is measured. If 
the result of the measurement is all Os, then the algorithm outputs ‘constant’, 
and otherwise it outputs ‘balanced’. 
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Exercise 6.4.2 


(a) Show that a probabilistic classical algorithm making 2 evaluations of f can with 
probability at least 3 correctly determine whether f is constant or balanced. 


Hint: Your guess does not need to be a deterministic function of the results of the two 
queries. Your result should not assume any particular a priori probabilities of having a 
constant or balanced function. 


(b) Show that a probabilistic classical algorithm that makes O(n) queries can with 


probability at least 1 — oa correctly determine whether f is constant or balanced. 


Hint: Use the Chernoff bound (Appendix A.1). 


It is worth noting that although deterministic classical algorithms would require 
2-1 +4 1 queries in the worst case (compared to only 1 query for this quantum 
algorithm), as shown in Exercise 6.4.2, a probabilistic classical algorithm could 
solve the Deutsch—Jozsa problem with probability of error at most 3 using 2 
queries. The probability of error can be reduced to less than oa with only n + 1 
queries. So although there is an exponential gap between deterministic classical 
and ‘exact’ quantum query complexity (see Definitions 9.4.1. and 9.4.2), the gap 
between classical probabilistic query complexity and the quantum computational 
query complexity is constant in the case of constant error, and can be amplified 
to a linear gap in the case of exponentially small error. The next section gives 
one of the first examples where a quantum algorithm can solve a problem with 
a polynomial number of queries, where any classical algorithm would require an 
exponential number of queries even to succeed with bounded error. 


6.5 Simon’s Algorithm 


Consider a function f: {0,1}" — X, for some finite set X, where we have the 
promise that there is some ‘hidden’ string s = s152...8 so that f(x) = f(y) if 
and only if x = y or x = y @s. In this section we will treat the domain {0,1}” 
of f as the vector space! Z over Z (in general, one can treat it as additive 
group). For convenience, we will assume that X C {0,1}”. 


1To avoid potential confusion, it is worth pointing out that we are talking about two different 
types of vector spaces. On the one hand, we are referring to the vector space 7} over Z2, which 
consists of n-tuples of Os and 1s. This vector space has dimension n since it can be generated by 
the n linearly independent vectors consisting of n-tuples with exactly one 1 in the kth position, 
for k = 1,2,...n. The quantum algorithm is executed in a complex vector (i.e. Hilbert) space 
whose basis elements are labelled by the elements of the vector space 23’. This Hilbert space 
has dimension 2”. 
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Simon’s Problem 


Input: A black-box for computing an unknown function f : {0,1}" — X, 
where X is some finite set. 

Promise: There exists a string s = 5152...» so that f(x) = f(y) if and only 
ifx=yorx=yQ®s. 

Problem: Determine the string s by making queries to f. 


Simon’s problem requires an exponential number of queries on a classical com- 
puter. 


Theorem 6.5.1 Any classical algorithm that solves this problem with proba- 
bility at least 3 for any such f must evaluate f a number of times in Q(2"/°). 


Before we describe Simon’s algorithm, let us make another observation about 
the n-qubit Hadamard transformation. We already saw that 


H°"|x) = S> (-D**l2). (6.5.1) 


ze{0,1}” 


What happens when we apply H®” to a superposition of two basis states, say 
|0) + |s)? 


a 1 1 = 1 1 SZ 
H® (=l0 +) = S- le) + Tae », C2) 


Note that if s-z = 1 we have 1+(—1)*” = 0 and the basis state |z) vanishes in the 


c ae p Boe kexts : if 
above superposition, and otherwise, |z) remains with amplitude owe Let us 


define st = {z € {0,1}"|s-z = 0}. Note that s+ is the vector subspace of Z?? that 
is orthogonal to the subspace S = {0,s}, also called the ‘orthogonal complement 
of S’ and denoted S+. This implies that the dim($) + dim($+) = dim(Z?) = n, 
and thus st has dimension n — 1. 


oe | 1 ae 
H® (=:l0) +b) = a (6.5.4) 


rfl i tool oe : 
H? (G+) yer ye Gay). (6.5.5) 


zé{s}t 


TEAM LinG 


Fig. 


SIMON’S ALGORITHM 105 


0.) 1H HK< 
0) —H H}-—< 


») A U,| AW <1 


6.11 A circuit for the quantum part of Simon’s algorithm. The measured bit 


values correspond to a string w; from st. 


In Exercise 6.5.1, we see how the Hadamard gate maps gal) + walk @s) toa 


uniform superposition of states z € st. This is the main ingredient to analysing 
the following algorithms for solving Simon’s problem. 


We assume that we have the following reversible black-box for implementing /: 


Us : |x)|b) > |x)|b © f(x). 


Simon’s algorithm is illustrated in Figure 6.11, and performs the following oper- 
ations. 


Algorithm for Simon’s Problem 


1. 
Ds 
3. 


Pe Se 


. Output s. 


Set a counter 7 = 1. 


Prepare Jez Lixe{o,1}" x)|0). 
Apply Uy, to produce the state 


d— X)LFCe). 


x€{0,1}” 


(optional?) Measure the second register. 

Apply H®” to the first register. 

Measure the first register and record the value w;. 

If the dimension of the span of {w;} equals n — 1, then go to Step 8, 
otherwise increment 7 and go to Step 2. 

Solve the linear equation Ws? = O7 and let s be the unique non-zero 
solution. 


?This step is unnecessary, but can be helpful with the analysis. 
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Note that {0,1}” can be partitioned into 2"! pairs of strings of the form 
{x,x @s} (in group theory language, these are the cosets of the subgroup {0,s} 
in the additive group Z3'). Let I be a subset of {0,1}” consisting of one rep- 
resentative from each of these pairs (in group theory language, these are coset 
representatives of the cosets of {0,s}). 


Note that the state in Step 3 can be rewritten as 


ar Dll) + ee s)/N0). (6.5.6) 


xel 


Thus, after we measure the 2nd register in Step 4 to obtain some value f(x), 
1 


the first register will be left in the superposition va (lx) +|x@s)). Exercise 6.5.1 
shows that after the Hadamard transformation in Step 5, the first register will 
be in an equally weighted superposition of elements of st. Thus the values w; 
measured in Step 6 will be elements of s+ selected uniformly at random. This 
means that when in Step 7 the dimension of the span of the {w;} equals n — 1, 
then span{w;} = s+. It follows that 0 and s are the only solutions to the linear 
equation in Step 8, which can be found by Gaussian elimination modulo 2 in 


time polynomial in n. 


Exercise 6.5.2 We have defined s+, but more generally we can let S be a vector 
subspace of Z3', and define S~ = {t € Z2|t-s = 0 for all s € S}. So our previously 
defined s+ corresponds to S+ where S = {0,s} is the 2-dimensional vector space 
spanned by s. 


(a) Define |S) = Yo .e5 eas). Prove that H®"|S) = weg. saw). 


(b) For any y € {0,1}” define ly + S) = O.c5 yams). What is H®"|y +S)? 


Exercise 6.5.3 Let W be a vector subspace of {0,1}” of dimension m. 


Let wi, W2,... be a sequence of elements of W selected uniformly at random. Let V; 
be the subspace spanned by wi, wa,..., Wi. 


Define X; to be the random variable denoting the lowest index i where V; has dimension 
j. So Xm denotes the lowest index i where V; has dimension m and therefore Vi = W. 


Show that the expected value of Xm is less than m+ 1. 


Hint: Define Y; = X1, and Y; = X; — Xj~-1 for 7 > 1, and note that X; = Yi + Yo+ 
2 $Y}. 


As shown in Exercise 6.5.3, the expected number of samples from st before the 
algorithm stops is less than m+1 =n. 
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Theorem 6.5.2 The above algorithm finds the hidden string s in Simon’s Prob- 
lem. The expected number of evaluations of f in the execution of the algorithm 
is less than n, and the expected number of other elementary gates is in O(n*). 


One might not be so satisfied with a polynomial expected running time; however, 
if one is willing to accept a small probability of not getting an answer, then 
we also have a polynomial worst-case running time. This is because one can 
generically convert an algorithm with expected running time T into one with 
a definite running time in O(T) and with a bounded probability of successfully 
outputting an answer. We call this type of algorithm a ‘zero-error’ algorithm 
since when it does provide an answer, it is always correct. 


It follows from Markov’s inequality that any algorithm that terminates with an 
expected number of queries equal to T will terminate after at most 37 queries, 
with probability at least 2 (see Appendix A.1). This means that if we simply 
abandon Simon’s algorithm if it has not stopped after 3n queries, then with 
probability at least 2 the algorithm will successfully solve Simon’s problem. For 
any particular sleorithiniy it might be possible to do better than what Markov’s 
inequality provides. For example, a more careful analysis shows that n + 3 uni- 
formly random samples from st will generate st with probability at least 2 
(see A.3). We can thus alternatively describe the following zero-error version of 
Simon’s algorithm that has a bounded running time. 


Zero-Error Algorithm for Simon’s Problem 


1. Set a counter 7 = 1. 


2. Prepare T= »xe{o,1}» [X)|0). 
3. Apply Uy, to produce the state 


S| OZ). 


x€{0,1}” 


(optional)*Measure the second register. 

Apply H®” to the first register. 

Measure the first register and record the value w;. 

If i= n+3 then go to Step 8, otherwise increment 7 and go to Step 2. 
Solve the linear system Ws? = 07, and let s;,s2,... be the generators of 
the solution space. 

9. If the solution space has dimension 1, spanned by s;, output s = s). 
Otherwise, output ‘FAILURE’. 


ON SPE 


Theorem 6.5.3 The above algorithm solves Simon’s problem with probability 
at least 3 using n + O(1) evaluations of f and O(n*) other elementary operations. 


3This step is unnecessary, but can be helpful with the analysis. 
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One can naturally generalize Simon’s problem to the following. 


Generalized Simon’s Problem 


Input: A black-box U;, implementing some f: {0,1}” — X, where X is some 
finite set. 

Promise: f(x) = f(y) if and only if x —y € S for some subspace S < Z?. 
Problem: Find a basis s1,S2,...,Sm for S (where m is the dimension of the 
subspace S$). 


The algorithm for solving the generalized Simon’s problem is essentially the same 
as the algorithm for Simon’s problem. Note that if S = {0,x1,..., Xgm_1} is an 
m-dimensional subspace of 73) = {0,1}”" over Z, then the set {0,1}” can be 
partitioned into 2"~™ subsets of the form {y,y © X1,y ® X2,..., Y B Xgm-1} 
(which we often denote by y + S). Let I be a subset of {0,1}” consisting of one 
representative from each of these 2”~™” disjoint subsets. Thus in Step 3, we can 
see that we have the state 


SPs) = Dv + LO) (6.5.7) 


x€{0,1}” yel 


where (as in Exercise 6.5.2) we define |y + S) = ose Faas). Thus, after we 
measure the second register in Step 4, the first register is left in a state of the form 
ly+S) for arandom y. In Exercise 6.5.2 we see that after applying the Hadamard 
transformation in Step 5, the first register contains a uniform superposition of 
elements of $+. Thus the measurement of the first register in Step 6 results in a 
value w; sampled uniformly at random from $+. The only part of the algorithm 
that changes slightly is the last three steps. 


If we know the dimension m of 5S, then we know that $+ has dimension n — m, 
and we could substitute Steps 7, 8, and 9 in the first algorithm for Simon’s 
problem with 


7’. If the dimension of the span of {w;} equals n — m, then go to Step 8, 
otherwise increment 7 and go to step 2. 

8’. Solve the linear equation Ws? = O07 and let s1,S2,..., Sm be generators of 
the solution space. 

9’. Output $1,82,..., Sm. 


Theorem 6.5.4 The modified algorithm described above solves the generalized 
Simon’s problem when the dimension m of S is given. The expected number of 
evaluations of f in the execution of the algorithm is less than n — m+ 1, and 
O(n?) other elementary operations are used. 


When we do not know m, we still know that whatever m is, that m+ 4 samples 
suffice in order to generate S+ with probability at least 2, and thus n + 4 samples 
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are certainly adequate. Thus for the generalized Simon’s problem, we can run 
the zero-error algorithm for Simon’s problem, with the following replacements: 


7”. If =n+4 then go to Step 8, otherwise increment 7 and go to Step 2. 

8”. Solve the linear equation Ws? = 07 and let s,,s2,... be generators of the 
solution space. 

9. Evaluate f(0), f(si), f(sg),.... If the outputs all equal f(0), then output 
$1,82,---,; Sm. Otherwise, output ‘FAILURE’. 


The following Theorem is proved in Appendix A.3. 


Theorem 6.5.5 The subspace (w1, W2,..., Wn+4) spanned by the w; obtained 
in the modified zero-error algorithm for Simon’s problem is a subspace of S+. 
With probability at least 2, we have (w1,W2,..., Wn44) = St. 
Corollary 6.5.6 The hidden subspace S of f is contained in the span of 
$1,S2,-.... With probability at least 2 we have S = (sj,S9,...). 


Note that we can test if f(s;) = 0 for all 7, and thus we can test if S = (s),S2,...) 
with n + O(1) evaluations of f. 


Theorem 6.5.7 The modified algorithm described above is zero-error and 
solves the generalized Simon’s problem with probability at least 2 and uses 
n — m + O(1) evaluations of f and O(n?) other elementary operations. 


It is worth noting that, since we never use the measurement outcome in Step 4, 
then that measurement step is not actually necessary (recall Exercise 3.5.4). It 
is included solely for the sake of helping analyse the algorithm. 


If we view this problem in the language of group theory, the group S is usually 
called the ‘hidden subgroup’, as we describe in more detail in Section 7.5. We 
will see later in the next section how replacing Z3 with the group of integers Z 
gives us a problem that allows us to efficiently factor large integers. 
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ALGORITHMS WITH 
SUPERPOLYNOMIAL 
SPEED-UP 


In this chapter we examine one of two main classes of algorithms: quantum al- 
gorithms that solve problems with a complexity that is superpolynomially less 
than the complexity of the best-known classical algorithm for the same prob- 
lem. That is, the complexity of the best-known classical algorithm cannot be 
bounded above by any polynomial in the complexity of the quantum algorithm. 
The algorithms we will detail all make use of the quantum Fourier transform 
(QF). 

We start off the chapter by studying the problem of quantum phase estimation, 
which leads us naturally to the QFT. Section 7.1 also looks at using the QFT to 
find the period of periodic states, and introduces some elementary number theory 
that is needed in order to post-process the quantum algorithm. In Section 7.2, 
we apply phase estimation in order to estimate eigenvalues of unitary operators. 
Then in Section 7.3, we apply the eigenvalue estimation algorithm in order to 
derive the quantum factoring algorithm, and in Section 7.4 to solve the discrete 
logarithm problem. In Section 7.5, we introduce the hidden subgroup problem 
which encompasses both the order finding and discrete logarithm problem as 
well as many others. This chapter by no means exhaustively covers the quantum 
algorithms that are superpolynomially faster than any known classical algorithm, 
but it does cover the most well-known such algorithms. In Section 7.6, we briefly 
discuss other quantum algorithms that appear to provide a superpolynomial 
advantage. 


7.1. Quantum Phase Estimation and the Quantum Fourier 
Transform 


To introduce the idea of phase estimation, we begin by noting that the final 
Hadamard gate in the Deutsch algorithm, and the Deutsch—Jozsa algorithm, 
was used to get at information encoded in the relative phases of a state. The 
Hadamard gate is self-inverse and thus does the opposite as well, namely it can be 
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used to encode information into the phases. To make this concrete, first consider 
H acting on the basis state |a) (where x € {0,1}). It is easy to see that 


H\x) = 10) + ip (7.1.1) 
1 
nee (—1)"¥|y). (7.1.2) 
VB oy i 


You can think about the Hadamard gate as having encoded information about 
the value of x into the relative phases between the basis states |0) and |1). The 
Hadamard gate is self-inverse, and so applying it to the state on the right side 
of Equation (7.1.2) we get |x) back again: 


1 Cpe’... 
(Salo) + i 1)) = |z). (7.1.3) 


Here the Hadamard gate can be thought of as decoding the information about 
the value of x that was encoded in the phases. 


More generally, consider H®” acting on the n-qubit basis state |x), which we 
saw in Section 6.4 is: 


HE" |x) = —1)**|y). (7.1.4) 


Ee oe 

ye{0,1}” 
We can think about the n-qubit Hadamard transformation as having encoded 
information about the value of x into the phases (—1)*’¥ of the basis states ly). 
If we apply H®” to this state we get |x) back again: 


1 
He™—_ 7 (-1)*|y) = B®" (H®"|x)) (7.1.5) 
var ye{0,1}” 
= (Beer?) |x) (7.1.6) 
= Ix) (7.1.7) 
= |x). (7.1.8) 


The n-qubit Hadamard gate here can be thought of as decoding the information 
about the value of x that was encoded in the phases. 


Exercise 7.1.1 (Bernstein-Vazirani problem) Show how to find a € Z3' given one 
application of a black box that maps |x)|b) + |x)|b @x-a), for some b € {0, 1}. 


Of course, (—1)* are phases of a very particular form. In general, a phase is a 
complex number of the form e?”, for any real number w € (0,1). The phase 
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—1 corresponds to w = $. The n-qubit Hadamard transformation is not able to 
fully access information that is encoded in more general ways. In this section 
we explore how to generalize the Hadamard gate to allow the determination of 
information encoded in phases in another special way. 


Suppose we are given a state 


1 
Sey) (7.1.9) 


where w € (0,1). Previously we had considered the n-bit string y as an n-tuple 
of binary values, but now we consider the n-bit strings to be integers from 0 to 
2” — 1. When we write |y), it is understood that we are referring to the basis 
state labelled by |y), where y is the binary encoding of the integer y. 


Given the state (7.1.9) above, we might be interested in determining w. It may 
not be obvious now why this would be a useful thing to do, but the motivation 
will become clear later on. For reference, we state the problem below. 


Phase Estimation Problem 


: ed yee. 
Input: The state > ore 


Problem: Obtain a good estimate of the phase parameter w. 


There is a quantum algorithm for solving the Phase Estimation Problem. It is 
described below. 


We begin by showing you some standard notation for writing the kinds of ex- 
pressions we will have. First note that w can be written in binary as 


w=0.%1%2%3°°: (7.1.10) 


(this means x; - 271 4 aq -27? + 43-27%+4+---). 


Similarly, we can write power-of-2-multiples of w as 


QPuy = 21 00%3°** Lh. Le41Lep2°*° (7.1.11) 


2rik 


and since e = 1 for any integer k, we have 


e27i(2*w) a e2T 18 283--Te-TeH1Tk 42" ) 
— e2ti(t1v2%3--@e) 62710. Te41 TKI" ) 


= e270. @ep1 Repo"). (7.1.12) 


Let us begin considering how to use a quantum circuit to determine w, given the 


state eines e27Y ly) as input. If the input is a 1-qubit state(so n = 1), and if 
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w = 0.21, then the state can be written 


ane Orr )¥ ly) = aye 2 )¥ ly) (7.1.13) 
= A Seow (7.1.14) 
e S Deve (7.1.15) 
= Fs ((0) + (-1)*11)). (7.1.16) 


Recalling Equation (7.1.3) we can use the single-qubit Hadamard gate to deter- 
mine the value of x (and thus of w): 


1 
A {| —(|0) + (-1)"1]1 = |x). 7.1.17 
(Ss (io) + (1)*0))) = fe (7.1.17) 
Before continuing to determining w = 0.2%,2%2--- for more complicated states, 


make note of the following very useful identity. 


5 cee) Cher) gf ioeres Ol) 


(oD) 
2 
- (2 te a8) ‘ (* eB) Biss 
v2 v2 
. (Cte) 
V2 
(7.1.18) 


Exercise 7.1.2 Prove the identity (7.1.18). 


Suppose we have the 2-qubit state Te ee he e?™“Y ly) and suppose that w = 
0.21429. ay the above identity, we can hen write the state as 


0 2ni(O.w2)) 1 0 2ni(O.01@2)/7 


(7.1.19) 
TEAM LinG 


114 ALGORITHMS WITH SUPERPOLYNOMIAL SPEED-UP 


Notice that x2 can be determined from the first qubit, by applying a Hadamard 
gate (exactly the same as in the previous example). We still need to determine 
x 1, and this obviously has to come from the second qubit. If rz = 0, then the 
second qubit is in the state 3510) + 271-71)|1), and we can determine 7, using a 
Hadamard gate (just as we did for v2). If v2 = 1, however, this will not work, and 
we will need to do something else first. Define a 1-qubit phase rotation operator 
Raz by the following matrix (with respect to the computational basis): 


1 0 1 0 
Rg = 0 | = k noon) ’ (7.1.20) 


where 0.01 in the exponent is written in base 2 (so 0.01 = 2~?). The inverse of 
Ro is 


= 1 0 
Ry t= fF rite ; (7.1.21) 


If 2 = 1, consider the effect of applying Ry, ' to the second qubit: 


a (” veel) _ |0)+ e27i(0-e11—0.01) |7 ) 
|0) a erred 1) 


= 773 ; (7.1.22) 


After Ry ' is applied, the Hadamard gate can be used to determine 7,. Whether 
to apply Rz' to the second qubit before applying the Hadamard gate is deter- 
mined by whether x2 = 1 or x2 = 0. Recall that after we applied the Hadamard 
gate to the first qubit, the state of the first qubit became |x2). So we can use 
a controlled-Ry ' gate on the second qubit, controlled by the state of the first 
qubit. In summary, for the case of a 2-qubit state with w = 0.2122, the circuit 
shown in Figure 7.1 solves the Phase Estimation Problem (note that here the 
‘estimation’ is exact). 


It is worth noting that the controlled-R gate, for any phase rotation gate R is 
symmetric with respect to swapping the control and target bits, as illustrated in 
Figure 7.2. However, it is convenient when doing phase estimation to think of it 
as being a controlled phase shift. 


ZL. (0) + €2*#(-2)|1)) 7 | |x2) 
° 1 I 
(0) + e2MO2=2)1)) (Ry H |— |x) 


0 e27 i (0.21 22) ]1 0 e27t (0.04) /1 
ja) (2 - w) laa) (2 - 2) 


Fig. 7.1 A circuit for the 2-qubit phase estimation algorithm. 
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—- - 8 


be 8 


Fig. 7.2 A controlled phase shift of e’? is symmetric with respect to swapping the 
control and target bits. 


Sz (|0) + e?n#29)/1)) H ’ |r3) 
4; (|0) + e2r#(0-2200)|1)) (Re) H | ’ |x) 

el 2ni(0.21 222: fp- (pati . 

Jz ((0) +e 11)) 5) (93) | Ins) 


Fig. 7.3 A circuit for the 3-qubit phase estimation algorithm. 


The above approach to phase estimation can be generalized. To illustrate this, 


we give one more example. Suppose we wish to determine w = 0.2 ,x2x3 for a 


3 : 
3-qubit state Iz pele e2t(0.21%2%3)¥ ly) This state can be written 


23-1 
Sy E27 1(0.71 0223) lay) (7.1.23) 
y=0 
_ (" fs ee) . (® 4 a) . (® 4 ee 
7 v2 V2 v2 , 
We define a general 1-qubit phase rotation gate Ry, by 
Ry = ae 724. 
The inverse RS has the following effect on the basis states 
Ry: |0) + |0) 
Ree, (7.1.25) 


where the 1 in the exponent is in the k*” position. 


We argue just as we did for the 2-qubit case above. This time, for the third 
qubit we have to conditionally ‘rotate off’ both x2 and 23. The circuit 
in Figure 7.3 implements the phase estimation algorithm for the 3-qubit state 
(7.1.23). A measurement of the state at the output of the circuit tells us 
w= 0.01 29%3. 

It should be clear now how this phase estimation circuit generalizes: 
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We have only aieted at the above phase estimation algorithm works for the 
n- ae state = ar 5 e2™4|y) when the phase is of the form w = 
0.21%2°+-Xp. That is, we have only seen that the phase estimation algorithm 
returns « when w is of the form 37, for some integer 2. As we shall see in the 
pes section, for arbitrary w, the phase estimation circuit will return x such that 
5x is closest to w with high pIOBABIliby (this is why we use the word ‘estimation’ 
for this algorithm). So we just have to choose n (i.e. the number of qubits to use 
for our approximation) so that this estimate is close enough. 


Notice that the output of Figure 7.3 is the state |~) = |a32221). For the analogous 
circuit on n qubits estimating a phase of the form x = 0.2, 22...%n, the output 
of the circuit would be the state |x, ...2%2% ). If we add some gates to reverse 
the order of the qubits at the end, we have an efficient circuit (with O(n”) gates) 


that implements 
2"-1 


dX era Vly\ > |x), (7.1.26) 


a 


Note that in practice we do not actually have to implement the reversal of the 
order of the qubits; it suffices simply to logically relabel the qubits (in reverse 
order). 


Consider the inverse of (7.1.26): 


27-1 


y era Uy) (7.1.27) 


ae 


Note that this is simply the unitary transformation realized by applying the phase 
estimation circuit backwards.' Equation (7.1.27) bares a strong resemblance to 
the discrete Fourier transform, which appears often in science and engineering. 
We call Equation (7.1.27) the Quantum Fourier Transform (QFT) on n qubits, 
written QFT jn. We often just write QFT instead of QFT,, when the intended 
meaning is clear. The QFT extends linearly to arbitrary superpositions of basis 
states. 


Since the QFT is the inverse of the phase estimation operation, we have an 
efficient circuit for performing the QFT (just the phase estimation circuit back- 
wards). For reference, a quantum circuit for the QFT is shown in Figure 7.4. 


In general, QFT,,, is used to denote the QFT defined on basis states |0),|1),..., 
|m — 1) according to 


1 = 
QET,,, : |) SE etn Uy), (7.1.28) 


1Recall that running or applying a circuit ‘backwards’ means to replace each gate with its 
inverse, and run the circuit in reverse order. 
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les) 4H H{ Fa) 7 Ja (|0) + em 1)) 

|e2) ° Rn} J; ((0) + ets O-*-=>)]1)) 
|2n—1) | ae |H (Rs) 4. (|0) e27i(0%n-1%0)|1)) 

xn) e | 6 H + ({0) sp. e27(0-#n)|1)) 


Fig. 7.4 A circuit for the QFT, up to a permutation of the output qubits to reverse 
their order. Note that in practice, we do not need to physically implement this permu- 
tation, but can achieve the desired result by simply logically relabelling the qubits. 


Note however that a circuit like that in Figure 7.4 will only implement QFT 
QFT,,, where m = 2” is a power of 2. 


Theorem 7.1.1 There is a uniform family of circuits Cy, with size polynomial 
in logm and logT that implements QFT,,, with error? less than z 


Also for reference, we state the action of the inverse QFT (denoted QFT;,") on 
the basis states |0),|1),..., |m— 1): 


QFT;! : |z) BH —= Se Pe Vy), (7.1.29) 


7.1.1 Error Analysis for Estimating Arbitrary Phases 


In our discussion of phase estimation we assumed that w was of the form w = 37. 
The QFT~' then returns the integer x, encoded in binary by an n-qubit state. In 
this section we examine the error that occurs when w is not an integer multiple 


1 
of sr- 


In general, the QFT™' will output some superposition |) = 7, a, (w)|x) which, 
after the measurement, outputs x with probability |a,(w)|?. The output x corre- 
sponds to the estimate @ = 3;. We show in this section that with high probability 
the estimate @ will be a good estimate of w. Note that although @ is a particular 
value that is output according to a probability distribution, we use |w) as short- 
hand for the superposition of the values x which, when measured, gives a good 
estimate of w with high probability. (i.e. |) does not refer to a computational 
basis state with value ‘@’.) 


We begin by showing that if we use n qubits, then the phase estimation algorithm 
returns the integer < such that # is the closest integer multiple of sh to w, with 
probability at least 4. (If w is exactly halfway between two integer multiples 
of oan the phase estimation algorithm returns each of these with probability at 
least — Then we will investigate how many qubits we need to use to ensure 


?Recall the definition of this error in Equation 4.3.1. 
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that we get w accurate to n bits, with a probability of error below a prespeci- 
fied level. To illustrate our discussion, it is convenient to represent phase values 
on a circle having circumference 1. The value w (corresponding to the phase 
parameter 27w) is a real number in the interval [0, 1). We can choose a reference 
point on the circle to represent the value 0, and count points around the circle 
counterclockwise, up to the value 1 where we return to the starting point. To 
represent phase values that can be encoded on an n-qubit quantum computer, 
we place a dot on the circle at each integer multiple of aa There will be 2” such 
dots on the circle. Of course, a real phase parameter w may not be an integer 
multiple of mat and so may lie between the dots on the circle. This representation 
for the phase is illustrated in Figure 7.5. 


Suppose the phase being estimated is w, and let w be the nearest integer multiple 
of x to w, as shown in Figure 7.6. That is, ¢ is chosen as the integer between 
0 and 2” — 1 such that w = = is the closest number of this form to w. If w is 
exactly halfway between two numbers of this form, choose w = = to be one of 
the two. For ease of notation, in this section, we will abuse the usual absolute 
value notation and, for any real numbers w,@ € [0,1), we let |w — @| be such 
that 27|w — | is the shortest arclength between e?™ and e?" along the unit 


circle. That is, we will use |w— | to denote min{|w —], lw -—@+ 1], |w —@—1]}}. 


a call 
| Pe meey. 
. oo 
i °0 
\ ep Yael 
7 
Je 
an 
i a 
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Fig. 7.6 o= = is the nearest integer multiple of = to w. 
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Our first goal is to show that the phase estimation algorithm returns the integer 
& with probability at least 4. We begin with a lemma which follows easily by 
computing a simple geometric sum and recalling that |1 — e’?°| = |e~*® — e| = 
2|sin(6)|. 


Lemma 7.1.2 Let w= ed 


timation algorithm applied to the input state |) = T= ee 9 2 |y) outputs 


= 0.2122...27, be some nee number. The phase es- 


the integer x with probability: 


(7.1.30) 


The following lemma will be useful. 


Lemma 7.1.3 If |0| < 5 then sf a 2S 4, for any M>1. 


Together with Lemma 7.1.3, Lemma 7.1.2 implies the following theorem. 


Theorem 7.1.4 Let ® = = be an integer multiple of # closest to w. The phase 
estimation algorithm rebutns & with probability at febet +. 


In other words, with probability at least = the phase estimation algorithm 
outputs an estimate % such that | - w| ee sat: 


Note that if w lies exactly in between & and 5 (ie. w = #£ + yd), then we 
will measure one of the two closest estimates a w with probability at least a : 


In fact, this is true for any w as we summarize in the following theorem. 


Theorem 7.1.5 If 5; <w< ae then the phase estimation algorithm returns 


one of x orx+1 with probability at least + 


In other words, with probability at least + the phase estimation algorithm 
outputs an estimate # such that | — w| < gr. 


It is easy to verify that with probability at least 1— the phase estimation 


1 
2(k—1)? 
algorithm will output one of the 2k closest integer multiples of * (see Figure 7.7). 
This implies that with probability at least 7 — Raa)? the output @ of the phase 
estimation algorithm will satisfy |w —@|< 5;. In other were, in order to ohvain 
an estimate © such that with probability at ‘Teast 1 — sh we have |@ —w| < x, 
it suffices to do a phase estimation with n = m+r-+1. It is worth noting that 
us algorithm is quite likely to get an estimate that has error much smaller than 

. For example, with probability at least * the error will De at most oe If 
ae 2 only care about having an estimate wath error at most aan in Exercise 7.1.3 
you will show how to do so using O(log’) repetitions of the phase estimation 
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Fig. 7.7 a phase estimation algorithm will output one of the 2k closest integer 
multiples of 5; to w with probability at least 1 — x XS: 


algorithm with parameter n = m. Depending on the intrinsic cost of computing 
higher-order phase shifts, this could be a much more efficient algorithm. 


Exercise 7.1.3 Prove that O(log,(r)) phase estimations with n = m and taking the 
outcome that occurs most often provides an estimate © of the phase w which will with 
probability at least 1 — + have error |w — &| < se. 


Hint: Find an upper bound on the probability of obtaining anything other than one of 
the two closest estimates, and then guarantee that with high probability the outcome 
is one of the two closest estimates. 


Exercise 7.1.4 
(a) Give a concise description of the operation performed by the square of the QFT. 


(a) What are the eigenvalues of the QFT? 


7.1.2 Periodic States 


We have studied in detail the behaviour of the QFT (or its inverse) on compu- 
tational basis states, and on states of the form 


sere, (7.1.31) 


It is also interesting and useful to study behaviour of the QFT on what we often 
call periodic states. 


A periodic superposition of states is one of the form 


loro) = ae |zr +b). (7.1.32) 
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We say this state is periodic with period r, shift b, and m repetitions of the period. 


Consider the following problem: 


Finding the Period a of a Periodic State, Given mr 


Input: 
e Integer mr 
e A black-box generating quantum states 


lbr,b) = a »B |zr + b) (71:33) 


where 0 is chosen uniformly at random from {0,1,..., 7 — 1}. 
Problem: Find r. 


If we measure |¢,4) in the computational basis, we get zr + b for some value 
z € {0,1,..., m—1} chosen uniformly at random. Since b € {0,1,..., r—1} is 
also chosen uniformly at random, the probability of the measurement producing 
any particular integer x € {0,1,..., mr — 1} is uniformly a. and thus this 
outcome gives us no useful information about the value of r. 


Exercise 7.1.5 Prove 


QFTrlbre) =e De 2k). (7.1.34) 


However, if we apply? QFT,,;. to \¢,,») then the resulting state is the superpo- 
sition QFT;,;/¢r,b) = Fr ny 2 *|mk). If we measure this state we will 
obtain a value « = mk for some random integer & between 0 and r — 1. Since 


we know mr, we can compute ~~ = E and express it in lowest terms. Note 
however that if k and r share a non-trivial common factor, the denominator 
of the reduced fraction for ~~ = & will not be r, but rather some divisor of 


r. For example, suppose m = 3, r = 20, « = 24; in other words, we initially 
know mr = 60, and measuring QFT 9 |¢,,5) gave us the number z = 24. So 


in this case a = 4 and k = 8. However, since we only know mr = 60 and 
x = 24, we would reduce to lowest terms and obtain 24 = 2. The denominator 


5 is a divisor of r = 20, but we ‘lost’ the factor of 4 because 4 was also a factor 
of k = 24. 


3Note that QFT,,,, would also work. We choose to use QFT;,) for consistency with the 
phase estimation algorithm. 


TEAM LinG 


122 ALGORITHMS WITH SUPERPOLYNOMIAL SPEED-UP 


One answer to this potential problem is to simply note that with probability 
in cerer)> the integer k will not have a non-trivial common factor with r. 
Thus we only need to repeat this entire procedure an expected number of times 


in O(log log r) before we find r. 


In the next section, we introduce some mathematical notation and elementary 
techniques that give us a better method for finding r, and will also be useful 
elsewhere in this chapter. 


One important technical question is how to know we have the correct r. In 
the applications of this period-finding tool we use later, there will be an easy 
classical means for verifying the correct r. In the example of this section, since 
each denominator of the reduced fractions will be a divisor of r, then when r 
should eventually appear in the list, it will be the largest element in the list. 
Thus our algorithm should output the largest value in the list as the guess for 
r. In Exercise 7.1.6, we introduce an interesting tool that gives us another way 
to test if we have the correct value of r (note that we know our guess will be a 
divisor of r, so to prove it equals r, it suffices to verify that it is also a multiple 
of r). 


Exercise 7.1.6 Suppose you are given the state |ér,,) and a candidate r’. Devise a 
‘1-sided’ test, which always outputs 0 if r’ is a multiple of r, and outputs 1 with 
probability at least 50% otherwise. 


Hint: What happens if we add r’ mod mr to the basis states of |¢,,,)? 


For now, let us move on to the case that we do not actually know the product 
mr, and instead we have the following problem. 


Finding the Period of a Periodic State 


Input: 


e Integer n 
e A black-box generating quantum states 


lina) =f Ss” jer +8) (7.1.35) 


2:0<z2r+b<2” 


where 0 is chosen from {0,1,..., 7 — 1}, and my, © a is the value that makes 
the state have norm equal to 1.4 
Problem: Find r. 


4In order for the state to be normalized, we must have m, = |{z:0< zr+b<2™}| = 
[zeae | +1. This can also be written as my = gro" mod r) +1if 0 <b < (2” mod r), 


and m, = 22" mod r) if (2” mod r) <b <r. 
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If we apply QFT>: then with high probability a measurement will give a value 
x such that 57 is close to & for a random integer & € {0,1,2,...,r}. More 
specifically, we have the following theorem. 


Theorem 7.1.6 Let x be the outcome of measuring QF Tn \br,p). For each value 
x satisfying 


zc ek 1 
7.1.36 
2” r|~ 2mpr ( ) 
for some integer k, the probability of obtaining x is at least $2 4. 


This theorem can be obtained by computing a simple geometric sum and using 
Lemma 7.1.3. 


The important part about this bound on the error is that as long as m > r (it 
suffices to have 2” > 2r?), then -—— < <4. This allows us to find the fraction 


2mpr — Qr2° 
& using the continued fractions algorithm. 


The continued fractions algorithm is an algorithm that approximates any real 
number with a sequence of rational approximations. We will summarize the facts 
about continued fractions that are relevant for this textbook. 


Theorem 7.1.7 Each rational number ; has a sequence of O(n) rational ap- 
proximations, called convergents, 4, p=, where [™ = 5,, with the fol- 


27 1? b29°' 9? Bm 
lowing properties: 


@ ay < dg < +++ < Gm, by < bo < +--+ < bm. 
e The list of convergents of 57 
e If some fraction & satisfies 


can be computed in time polynomial in n. 


k : 5 : . 
then = appears in the list of convergents of 57. 


Note that Theorem 7.1.7 implies that if 2” > 2r? and if we measure one of the 


two closest estimates of E , we will be able to recognize which convergent equals 


£ (see Exercise 7.1.7). 


Exercise 7.1.7 (a) Prove that there can be at most one convergent ¢* # sa satisfying 


Hw -— El < se and <r. 


Qn bj 


(b) Prove that if 2” > 2r? and |4 — £| < 4, then # = * will be the only convergent 


= 97> 
. (n=1) 
of sx with b; < 2 2d 
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7.1.3 GCD, LCM, the Extended Euclidean Algorithm 


We begin by reviewing some basic definitions from number theory, and then state 
an algorithm which will be useful for some of the classical reductions we will see 
in this chapter, in particular for finding r given a close estimate of & for random 
integers k. 


Definition 7.1.8 An integer x is said to divide an integer y, written x|y, if there 
exists another integer z such that y = xz. 


Definition 7.1.9 The greatest common divisor (GCD) of two integers x and y, 
denoted GCD(x, y), is the largest positive integer z that divides both x and y. 
In the case that x = y = 0, we define GCD(z, y) = 0. 


Two numbers x and y are said to be coprime or relatively prime if the GCD of 
xz and y, denoted GCD(a, y), equals 1. 


Definition 7.1.10 The lowest common multiple (LCM) of two integers x and 
y, denoted LCM(x, y), is the smallest integer z that is divisible by both x and y. 


A well-known algorithm called the extended Euclidean algorithm (EEA) provides 
an efficient way to compute LCMs and GCDs. 


The Extended Euclidean Algorithm 


The EEA takes two positive integers x,y < 2” and outputs three integers 
a,b,d < 2” with the following properties: 


d= GCD(z,y) (7.1.37) 
ax + by = d. (7.1.38) 


The total running time is in O(n?). 


Corollary 7.1.11 (EEA): Given non-zero integers x and y, the EEA can be 
used to efficiently find: 


1. GCD(z, y) 

2. LCM(a, y) = GODiaw) 

3. The fraction x/y reduced to lowest terms (i.e. find x,y, such that x/y = 
x1/y, and GCD(#1, y1) = 1; note that 7, = CDi)’ Y= acDaa) 

4. The inverse of x modulo y (assuming GCD (a, y) = 1). 


Let us return to the problem of finding r given the fraction & expressed in lowest 
terms for an integer & € {0,1,2,..., 7 — 1} selected uniformly at random. 


Suppose we repeat the procedure to obtain two measurement results x; and %2, 

such that 2. = © and 22 = *2, for integers k,, kz between 0 and r—1 selected 
mr Tt mr i i 

uniformly at random. 
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We can efficiently find integers ¢1,11,¢2, 72 with GCD(cq, 11) = GCD(ce,r2) = 1 
so that me = . and ne = a Note that this means that r; and rg both divide r 
(i.e. r is a common multiple of r; and r2). 


Theorem 7.1.12 Let r be a positive integer. Suppose the integers k, and kz 
are selected independently and uniformly at random from {0,1,..., 7 —1}. Let 
C1,1T1,C€2,T2 be integers so that GCD(r1, c1) = GCD(r2, cz) = 1 and uae = 7 and 


ko _ co 


r Tr2° 


Then with probability at least °; we have r = LCM(r,,r2). Furthermore, the 


2 
Tv 
numbers ¢1,11,C2,72, and r can be computed in time in O(log? r). 


7.2 Eigenvalue Estimation 


When we looked at the Deutsch algorithm (and similarly the Deutsch—Jozsa and 
Simon algorithms), we mentioned that we could think of the operator Uy as a 


controlled operator cU f(a): We saw that the state me of the target qubit was 


an eigenvector of 0 (x), with corresponding eigenvalue (—1)/(), and we showed 
that we can associate this eigenvalue with the control qubit. We generalize this 
idea here, and show how we can construct a quantum circuit for estimating 
eigenvalues of a given multi-qubit unitary operator U. 


Consider an n-qubit unitary operator U with eigenvector |W) and corresponding 
eigenvalue e2". Suppose that we have an efficient quantum network for imple- 
menting U. Now consider a controlled-U gate (i.e. a circuit for performing the 
controlled-U operation, which we bundle-up and represent as single ‘gate’. Recall 
Exercise 4.2.7 on how to implement this). Suppose the second (target) register 
is prepared in the eigenstate |). If the control qubit is in state |0), U is not 
applied to the qubits of the second register. If the control bit is in the state |1), 
U is applied. In this case, denoting the controlled-U gate by c-U, we have 


c-U|1)|b) = |1)U |p) 
= |1)e27* |ap) 
= 11) 1). (7-24) 


This is shown in Figure 7.8. 


Suppose the control qubit is prepared in a superposition a|0) + 3/1). Then the 
effect of applying the controlled-U is to encode the eigenvalue of U into the 
relative phase factor between the basis states |0) and |1) in the control qubit’s 
state. As a relative phase, it becomes a measurable quantity (through quantum 
interference). This effect of encoding the eigenvalue of U into the phase of the 
control register of a controlled-U operation is illustrated in Figure 7.9. 


In this section we are going to apply this idea of encoding eigenvalues in the 
phases of a control qubit together with the phase estimation algorithm to solve 
the following problem. 
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i1) i bh 


\) U Eerie 1) 


Fig. 7.8 When we analyse the action of the controlled-U on the state |1)|q) for an 
eigenstate |) with eigenvalue e?*"”, the phase shift corresponding to the eigenvalue 
of U can be associated with the control qubit, since |1) (e?"’|~)) = (e?*"”|1)) |p). 
That is, the eigenvalue of U on |~) can be considered to have been ‘kicked back’ to the 
control qubit. 


a|0) + 81) a|0) +e?" 3|1) 


I) U |) 


Fig. 7.9 When the control bit is in a superposition of |0) and |1), the |0) component 
does not pick up a phase of e?", and the |1) component does. Thus the eigenvalue 
turns up as a relative phase between the |0) and |1) components of the control bit 
superposition. 


Eigenvalue Estimation Problem 


Input: A quantum circuit implementing an operator U, and an eigenstate |W) 
with corresponding eigenvalue e?7™”. 
Problem: Obtain a good estimate for w. 


Recall that the inverse QFT (which we showed was a good algorithm for phase 
estimation) allows us to estimate w given the state 


= 3 em iwy lay) (72.2) 
_ 0) al e2ri(2"~*w) 17) 0) A e2ri(2"~2w) 17) _ (® he ty 
7 V2 V2 V2 , 


(72.3) 


So if we can devise a quantum circuit that creates this state, we can then use 
QFT~' to estimate the eigenvalue. To see how this can be done, notice that |) 
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is also an eigenvector of U?, with corresponding eigenvalue (e2atu)? =e, 
Similarly, for any integer x, we know that |W) is an eigenvector of U® with 
corresponding eigenvalue e”2"™., So if we implement a controlled-U2’, and set 
the control qubit to Pee, and the target qubit to the eigenstate |w), then the 


result is 
; e27i(27w) 
cu (*) )) Z (2 a _ » | Ww). (7.2.4) 


With these observations, it is easy to see that the circuit in Figure 7.10 creates 
the state (7.2.2). 


As we have seen, if we now apply the QFT~! to the output of the circuit shown 
in Figure 7.10, we will obtain a state |®), which provides (with high probability) 
a good estimate of the eigenvalue parameter w. Therefore, the circuit shown in 
Figure 7.11 solves the eigenvalue estimation problem. 


We have a sequence of controlled-U2" operations controlled on the k'® significant 
bit x, of e = 2°-!x,_14+ ... +2214 20, for each of k = 1,2,..., n. It is easy to 
see that this has the overall effect of applying U a total of x times (exponentiating 
U). We can write this as a single U* operator. We therefore define a c-U* operator 
that maps 


c-U® :|x)|b) > |x)U*|¢). (7.2.5) 


Exercise 7.2.1 Let N < 2”. Given a € {2,..., N — 2}, explain how a?” mod N can 
be computed in time polynomial in m+n, and with space in O(n). 


0) 4 e2ri(2” Ay |1) 


id va, 
0)+|1) 0)+e27i(2"— Jw 1) 
2 e i 
bh 1) , 0) be2i(2) 1) 
v2 v2 
0) +1) ® 0)+e2"™|1) 

v2 V2 

eb) ue |) 


Fig. 7.10 First stage of eigenvalue estimation. 
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10)+11) 
v2 . nn 
10)+11) 
v2 e /-— 
QFT™ 2) 
oat ry 
2 
10)+11) | 
° I 
lw) eee UP We) 


Fig. 7.11 A circuit for eigenvalue estimation. We measure the state |@) and obtain a 
string x corresponding to the binary representation of an integer. Our estimate for w 


~ xz 
is 27 5r- 


Jer 


QFT QFT™! 


klk 


2) : ue : |2) 


QTiw 


Fig. 7.12 A circuit for estimating the eigenvalue e of the operator U on eigenvalue 


I*)). 


The qubits in the first (control) register can be prepared in the state 


(me) ()(e) 


by starting with the state |0)®”, and applying the n-qubit Hadamard transforma- 
tion H®". We have seen before that the tensor product factors can be expanded 
out, and the result can be written more concisely as 


2”-1 


Hen|g\ er = dX |x). (7.2.7) 


It is easy to check from the definition of the QFT that 
OFTig,e* = Fe" 972" (7.2.8) 


and so we can use a QFT in place of a Hadamard gate. 


With the above observations, the circuit for eigenvalue estimation can be drawn 
more concisely as shown in Figure 7.12. 


The eigenvalue estimation algorithm implemented by the circuit in Figure 7.12 
is summarized below. : 
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Eigenvalue Estimation Algorithm 


1. Initialize an n-qubit register to |0)®”. Call this the control register. 

2. Apply the QFT to the control register. 

3. Apply c-U* to the given eigenstate |w), controlled on the state of the 
control register. 

4. Apply the QFT~! to the control register. 

5. Measure the control register to obtain a string of bits encoding the integer 


x. Output the value 55 as the estimate for w. 


Suppose we apply the eigenvalue estimation circuit with the second register ini- 
tially in an arbitrary state |q) which is not necessarily an eigenvector of the 
n-qubit operator U. By the spectral theorem (see Section 2.4), the eigenvectors 
of U form a basis for the 2”-dimensional vector space on which U acts. This 
means that any state in this space can be written as a linear combination of the 
eigenvectors of U. So we have 


IB) = SY cvsley) (7.2.9) 


j=0 


where |y;) are the eigenvectors of U with corresponding eigenvalues e?7/, 


for 7 = 0,1,..., 2” — 1. We know the eigenvalue estimation algorithm maps 
|0)®"|a;) + |@;)|b,;). Thus, by linearity, if we apply the eigenvalue estimation 
27-1 


circuit with the second register in the state |~) = )7j-9 @,|¥;), we obtain the 
superposition 


27-1 


d= ej|e5) 03). (7.2.10) 


j=0 


This is illustrated in Figure 7.13. We will see this idea applied in the next section. 


Note that measuring the first register is equivalent to being given |®,;)|;) with 
probability |a;|? and then measuring the first register. 


Recall from Exercise 3.5.4 (a) that measuring the first register and then tracing 
out (i.e. discarding or ignoring) the second register is equivalent to tracing out 


|0)®" = QET QFT" 


ye; 125) bs) 


yy Oly) UP 


Fig. 7.13 The eigenvalue estimation circuit applied with the second register in the 
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the second register before measuring the first register. In Exercise 3.5.4 (b), 
we verify that tracing out the second system is equivalent to measuring it and 
then discarding it without revealing the measurement outcome. For convenience, 
we can therefore assume that the second register was measured in the basis of 
eigenstates and then traced out. Thus, in the case of the state in Equation 7.2.10, 
tracing out the second register leaves the first register in the mixture consisting 
of the state |®@;) with probability |a;|?. This way of describing the state of the 
first register will be a useful way of analysing many of the algorithms in this 
chapter. 


Exercise 7.2.2 


(a) Recall in Section 4.5 it was shown how to implement a parity measurement using 
a quantum circuit. In Exercise 3.4.4, it was shown how the parity measurement is 
equivalent to measuring the observable Z®”. Describe an alternative algorithm (and 
draw the corresponding circuit diagram) for measuring the observable Z @ Z @ Z using 
one application of a c-(Z ® Z ® Z) gate. 


(b) Consider the observable M = > , miP;, where we assume for convenience that m; € 


{0,1,2,..., N—1}. Let U = e'™ Describe an algorithm (and draw the corresponding 
circuit diagram) for measuring the observable M given one application of a c-U® which 
maps |x)|) — |x)U"|~), for x € {0,1,..., N — 1}. 


7.3. Finding-Orders 
7.3.1 The Order-Finding Problem 


In the preceding sections we have developed tools that now allow us to describe an 
algorithm that has been one of the most important developments in the history 
of quantum computation. This is the quantum factoring algorithm, discovered by 
Peter Shor in 1994. The RSA cryptosystem is a public key protocol widely used in 
industry and government to encrypt sensitive information. The security of RSA 
rests on the assumption that it is difficult for computers to factor large numbers. 
That is, there is no known (classical) computer algorithm for finding the factors 
of an n-bit number in time that is polynomial in n. If such an algorithm were 
found, it would undermine the security of RSA. So when Peter Shor discovered 
that a quantum computer is capable of factoring large numbers efficiently, this 
generated much excitement and catalysed industry and government’s interest in 
the potential of quantum computation. 


Before we continue to describe this and other similar algorithms in more detail, 
we include a short section describing some of the relevant mathematics we will 
be discussing. 
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7.3.2 Some Mathematical Preliminaries 


The integers mod N is the set of integers {0,1,..., N—1}, which we will denote 
as Zn. Two integers s and t are said to be equivalent mod N if N divides s — t 
with zero remainder. In this case we write 


s =t(mod N). (7.3.1) 


Any integer k can be reduced mod N by taking the remainder r after division 
of k by N. In this case we write 


r=kmod N. (7.3.2) 


One important property is that if GCD(a,N) = 1, then the number 1 will 
eventually appear in the sequence a mod N, a? mod N, a® mod N,... and then 
the sequence continues to repeat itself in a periodic fashion. This motivates the 
following definition. 


Definition 7.3.1 Given integers a and N, such that GCD(a, N) = 1, the order 
of a (mod JN) is the smallest positive integer r so that a" = 1 (mod N). 


Exercises 7.3.1 and 7.3.2 provide some practice working with modular arithmetic, 
and prove some basic results. 


Exercise 7.3.1 
(a) Compute 118 mod 5. 


(b) Prove that xy mod N = (a mod N)(y mod N) mod N. 


Exercise 7.3.2 


a) What is the order of 2 mod 5? 


) 
b) What is 2°°° mod 5? 


( 
( 
(c) What is the order of 2 mod 11? 

(d) Let r be the order of 2 mod 55. 

(i) Find r. 

(ii) Find GCD(55, 22 — 1) and GCD(55, 2? + 1). 


If p is prime, then Z,, with the operations of addition modulo p and multipli- 
cation modulo p is a finite field or Galois field often denoted F, or GF (p). If N 
is not prime, then Zy is not a finite field. For any integer N, we let Zi, denote 
the set of numbers x in Zy where x and N are coprime. These are precisely 
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the integers « € {0,1,2,..., N — 1} for which there exists an integer y with 
xy = yx = 1(mod N); for each such 2, y is unique and is called the inverse 
of x modulo N. We call Zi, (with the operation of multiplication mod N) the 
multiplicative group of the ring Zn. 


For every prime power p™, m > 1 there also exists a finite field Fm of that 
order, but it is not equivalent to Zpm. For most of this introductory textbook, 
we do not need to work with the more general notions of groups, rings, and fields, 
and will usually just work with very simple concrete examples of such objects 
like Zy. We will just point out that the problems of finding orders and discrete 
logarithms (to be described in the following sections) can be defined in more 
general families of groups including F*,. (the multiplicative group of the finite 
field F,m), Zy, and even very different looking groups like the additive group 
of points on an elliptic curve (of much use today in public key cryptography). 
No knowledge of group theory (beyond the most basic properties of groups like 
Z*,) is required to understand the algorithms in this chapter. We will illustrate 
the mechanics of these algorithms using the simple concrete groups of the form 
ZN. 


Integer Factorization Problem 


Input: An integer N. 
Problem: Output positive integers p), p2,..-, P1,T1,72,---, T, where the p; are 
bss a 


distinct primes and N = pj'ps”... p;'. 


Suppose we wish to factor the integer N. Since it is easy to remove factors 
of 2, we will assume N is odd. Furthermore, one can easily factor any inte- 
ger N that is a prime power (see Exercise 7.3.3). Thus, we will further assume 
that the factorization of N contains at least two distinct odd prime factors. 
If we could split any odd non-prime-power integer into two non-trivial factors, 
then we can completely factor N into its prime factors using at most log N 
splittings. There are efficient classical probabilistic algorithms for testing pri- 
mality, and also polynomial time classical deterministic algorithms (though at 
present the polynomials have a fairly high degree), so we know when we can 
stop trying to split the factors. Thus, the problem of factoring N can be re- 
duced to O(log N) instances of the problem of splitting an odd non-prime-power 
integer. 


Splitting an Odd Non-Prime-Power Integer 


Input: An odd integer N that has at least two distinct prime factors. 
Problem: Output two integers Ny, No, 1 < Ni < N,1< No < N, such that 
N= Ni x No. 
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Exercise 7.3.3 Suppose N = m” for some integers m > 1 and n > 1. Show how to 
find a non-trivial splitting of N in time polynomial in log(V). 


Miller showed in 1975 how the problem of splitting integers reduces probabilis- 
tically to the problem of order finding. This means that if we have an efficient 
algorithm for order finding, it is possible to give an efficient probabilistic algo- 
rithm for splitting integers (the splitting algorithm will use the order finding 
algorithm as a subroutine). We will sketch this reduction. 


Order-Finding Problem 


Input: Integers a and N such that GCD(a, N) = 1 (ie. a is relatively prime 
to N). 
Problem: Find the order of a modulo N. 


To split N, we would start by finding the order of a random integer a that 
is coprime with N. To do this, we first need to have some means of finding 
such an integer a. If a is not coprime with N, then the GCD of a and N, de- 
noted GCD(a, N), is a non-trivial factor of N. As we saw in Section 7.1.3, the 
GCD of two numbers can be found efficiently using the EEA. So one can uni- 
formly sample elements a coprime to N by uniformly sampling {2,3,..., N —2} 
and then applying the EEA to test if the sampled integer is coprime with N. 
(If GCD(a, N) > 1, then we have hit the jackpot as we have already found a 
non-trivial factor of N.) If a is randomly selected with GCD(a, N) = 1, then 
the order r of a will be even with probability at least >: If r is even, then 
b= a'/? mod N satisfies b? — 1 = 0 mod N, and thus N divides (b— 1)(b+ 1). 
The hope is that GCD(b — 1,N) will be a non-trivial factor of N. If N has 
at least two distinct prime factors, then for an integer a selected uniformly 
at random with even order r, the probability that GCD(a’/? — 1 mod N,N) 
is a non-trivial factor of N is at least 5. Thus, only a constant number of 
values a need to be tried in order to successfully split N with high 
probability. 


Recalling Theorem 7.1.12, we can reduce the order-finding problem to the task 
of sampling fractions E for integers k chosen uniformly at random between 1 and 
r—1. Using a beautiful piece of number theory, the theory of continued fractions 
(recall Theorem 7.1.7), we can reduce the task of exactly determining a fraction 


k : . 4 . k 1 
< to the task of finding an estimate 55 with |= — =| < yz. 


It is important to note that all of the above reductions are classical. To sum- 
marize, therefore, finding the order r of a modulo N with bounded error can be 
reduced to the following sampling problem. 
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Sampling Estimates 
to an Almost Uniformly Random Integer Multiple of 4 


Input: Integers a and N such that GCD(a, N) = 1. Let r denote the (unknown) 
order of a. 

Problem: Output a number x € {0,1,2,...,2”~'} such that for each 
k € {0,1,..., 7 —1} we have 


n( 


2” 


for some constant c > 0. 


Fact: Write a = > 6b to mean that problem a reduces to a problem b. We 
have 
Factoring any integer 
{| deterministic classical polytime reduction 
Splitting odd non-prime-power N 
{| probabilistic classical polytime reduction 
Finding the orders of integers modulo N 


{} probabilistic classical polytime reduction 
: : : : 1 
Sampling estimates to a random integer multiple of — 
r 


(where r is the order of some integer a mod NV). 


This sampling problem is where a quantum algorithm is used. In the following 
section we show how eigenvalue estimation can solve the above sampling problem 
(and thus the integer factorization problem). 


7.3.3 The Eigenvalue Estimation Approach to Order Finding 


As we show later, Shor’s order-finding algorithm can be viewed as an application 
of the eigenvalue estimation algorithm we saw in Section 7.2. 


Let U, be the operator that maps 


Uq :|s) — |sa mod N), O<s<QN. (7.3.3) 


Since a is coprime with N, then a has an inverse modulo N, and so the trans- 
formation performed by U, is reversible and thus unitary. Also, U, can be im- 
plemented efficiently. When implementing this operation say using m qubits 
where 2” > N, we can simply extend the action of U, in any reversible way, for 
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example 


Ug :|s) — |sa mod N), s<N 


| 
Is) |s), O<s>N. (7.3.4) 
We will restrict attention to the action of U, restricted to the state space spanned 


Note that since a” = 1 (mod JN), we have 
U* :|s) + |sa” mod N) = |s). (7.3.5) 


That is, U, is an rth root of the identity operation. 


In other words, since we know how to multiply by a modulo N, we therefore 
know how to implement a unitary transformation that is an rth root of the 
identity operation. In Exercise 7.3.4 you will verify that the eigenvalues of a 
unitary operation that is an rth root of the identity operation must be rth roots 
of 1, that is, of the form e2"** for some integer k. 


Exercise 7.3.4 Prove that if a operator U satisfies U" = I, then the eigenvalues of U 
must be rth roots of 1. 


Consider the state 


r-1 


luz) = 7s ~2niF 8/45 mod N). (7.3.6) 
s=0 


We have 


Ua\ur) = ae e~?>5U,|a® mod N) 


1 : 
= F "ie mod N) 
r—1 
2nik —2nik ee s+1 d N) 
=e a mo 
to 
= 27 F lup) (7.3.7) 


and so |uz) is an eigenstate for U, with eigenvalue e2"**. The last equality in 
the above equations follows from the fact that e2"'r"|a” mod N) = e27#r%q® 
mod N). 
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Exercise 7.3.5 Let b be an integer coprime with N. Give a set of eigenvectors 9) of 


Ua so that |b) = 7775 Fi lbj). 


For any value of & between 0 and r — 1, if we were given the state |ux,), we could 
apply the eigenvalue estimation algorithm and perform 


|0) un) > |k/r) un). (7.3.8) 


Referring to Theorem 7.1.5, we see that measuring the first register of this state 
would solve the sampling problem, and therefore solve the order finding problem. 


Without knowing r, we do not know how to prepare such states |u,). Fortunately, 
we do not have to. The key insight i is the following. Instead of preparing an eigen- 
state having eigenvalue e2"'* for a randomly selected k € {0,..., 7—1}, it would 
suffice to prepare any superposition or mixture that contains each eigenvalue with 
sufficient weight. For example, a uniform superposition of the eigenstates would 
suffice. Then the eigenvalue estimation algorithm will produce a superposition 
of these eigenstates entangled with estimates of their eigenvalues, and when a 
measurement is performed, the result is an estimate of a random eigenvalue. We 
shall see that such a superposition of eigenstates is possible to prepare, without 
knowing r. Consider 


Jeol k) -5o ae S\a° mod N). (7.3.9) 


Notice that |a* mod N) = |1) iff s = 0 (modr). The amplitude of |1) in the 
above state is then the sum over the terms for which s = 0. This is 


r-1 r-1 
1 —omikg — Ll 
SS = zs e ae =—S ) (1) 
vr " x0 5 
=1. (7.3.10) 


So the amplitude of state |1) is 1, and thus the amplitude of all other basis 
states must be 0. So we have 


= 3 lui) = |1). (7.3.11) 
k=0 


This means that the eigenvalue estimation algorithm maps the input state 


\0)|1) = “ez (7.3.12) 


= — 3 0) |wx) (7.3.13) 
k=0 TEAM LinG 
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to the output state 


- > le/r) ue). (7.3.14) 


If we trace out or ignore the second register, we see that the first register is 
in an equally weighted mixture of the states |k/r), for k € {0,1,...,r— 1}. 
Therefore, a measurement of the first register at the end of the eigenvalue esti- 
mation algorithm yields an integer x such that 37 is an estimate of & for some 
k € {0,1,..., r —1} selected uniformly at random, As mentioned above, with 
high probability this estimate will allow us to exactly determine the fraction z 
using the continued fractions algorithm. 


A quantum circuit implementing the quantum part of the order-finding algorithm 
is shown in Figure 7.14. 


The order-finding algorithm is summarized below. 


Order-Finding Algorithm 


1. Choose an integer n so that 2” > 2r?. The value n = [2 log N] will suffice. 

2. Initialize an n-qubit register to |0)®”. Call this the control register. 

3. Initialize an n-qubit register to |1) = |00...01). Call this the target regis- 

ter. 

Apply the QFT to the control register. 

Apply c-U® control and target registers. 

Apply the QFT~' to the control register. 

Measure the control register to obtain an estimate 5 of a random integer 

multiple of 1. 

8. Use the continued pacuars algorithm to obtain integers c; and r; such 
that |: — S| < =r. Ifno such pair of integers is found, output ‘FAIL’. 


rie 


9. Repeat ae 1- 7 to io Shiels another integer x2 and a pair of integers c2 
and rz such that a < ; ae . If no such pair of integers is found, 
output ‘FAIL’. 

10. Compute r = LCM(r1,r2). Compute a” mod N. 
11. If a” mod N = 1, then output r. Otherwise, output ‘FAIL’. 


ae 


O°" ; 


QFT QFT 


Fl 


1) = Ti 9 ss lei) 3 UZ 


Fig. 7.14 A circuit for sampling estimates to a random integer multiple of 3, which can 
be used to solve the order-finding problem. The measured bits are a binary represen- 
tation of an integer x such that 57 is an estimate of & for a randuma Mtegeice- 
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To see why this algorithm works, note that Step 6 is effectively measuring IE) for 
an integer & selected uniformly at random from {0,1,..., 7 — 1}. The following 
theorem thus follows by the reductions given in Section 7.3.2. 


Theorem 7.3.2 The order-finding algorithm will output the correct order r of 
a with probability at least “ > 0.399, and otherwise outputs a multiple of r or 
‘FAIL’. 


The computational bottleneck of this algorithm is the controlled exponentiations 
of the operator U,, that is, the c-U2’ operations for j = 0,1,2,..., 2"! that 
constitute the c-U%, as we saw for eigenvalue estimation in Section 7.2. The 
obvious way to compute c-U2’ requires 2/ applications of the c-U, operation. 
A critical observation is that c-U2’ = c-U,2;; in other words, multiplying by 
a modulo N a total of 2% times is equivalent to multiplying by a?’ mod N 
only once. We can (classically) precompute a?’ mod N with only j multipli- 
cations modulo N (by repeated squaring modulo N, starting with a), which 
provides an exponential improvement over multiplying by a modulo WN a total 
of 27 times. The quantum circuit we would implement would simply be a circuit 
for multiplying by the number a? mod N (which is a number between 1 and 
N — 1). Standard arithmetic techniques can implement this multiplication with 
only O((log NV) log log(V) log loglog(N)) elementary gates. Thus, the required 
exponentiation can be done with only O((log N) log log(N) log log log(.N)) ele- 
mentary gates. The QFT require O((log N)”) gates. Thus this quantum circuit 
requires only O((log N)? log log(N) log log log(V)) elementary quantum gates. 
Note that it only needs to be repeated a constant number of times to success- 
fully factor N into two non-trivial factors with a high probability of success. 


In contrast, the best-known ‘heuristic’ classical algorithm uses 


i 2 
eO (Vlog N) 3 (log log N)3) elementary classical gates. The best-known rigorous clas- 


sical algorithm uses e?((es N)? (log log N)?), 


It is important to note that the order-finding algorithm will work for any group 
for which we can represent group elements uniquely and perform the group op- 
eration. In other words, the order-finding algorithm works for ‘black-box groups’ 
(with unique encodings”). In the black-box group model, each element is encoded 
by a string of some length n, and one can perform group operations (multiplica- 
tion, inverse, and recognizing the group identity element) on these encodings via 
a black-box. An algorithm in this model cannot access any information about 
the structure of the group except through the black-box. The complexity of 


5Tn order for quantum interference to occur, each group element must be represented by some 
unique quantum encoding. Thus, it is sufficient if each group element has a unique classical 
encoding. However, more sophisticated unique quantum encodings might also possible, such as 
letting each group element be represented by a uniform superposition of all its valid classical 
encodings. 
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algorithms in the black-box model can be measured in terms of the number 
of applications of the black box (as well as the number of other operations). 
Appendix A.6 discusses the black-box group model in more detail. 


The classical and quantum complexities for order finding are summarized below. 


Complexities for Order Finding 


e Finding the order of a random element in Zy 
- Quantum complexity is in O((log NV)? log log(N) log log log(N)). 
- Best-known rigorous probabilistic classical algorithm has complexity 
in eO (Vlog N log log N) : 
- Best-known heuristic® probabilistic classical algorithm has complexity 
in 0 ((log NV) (log log N)3)_ 
e Order finding in a black-box group 
- Quantum black-box complexity (for groups with unique encodings of 
group elements) is O(log r) black-box multiplications and O(n+log? r) 
other elementary operations. 
- Classical black-box complexity is in O(./r) black-box multiplications. 


7.3.4  Shor’s Approach to Order Finding 


The above is not the analysis outlined by Shor in his landmark 1994 paper on 
integer factorization. It is equivalent, however, as we will show in this section. 
Understanding both approaches is useful when trying to generalize the algorithms 
to solve other problems. 


The original approach to order finding (in particular, to estimating a random 
integer multiple of +) was the following: 


Original Approach to Estimating a Random Integer Multiple of t 


1. Create the state 
1 
|Wo) = ) s=I|2)|a* mod N). (7.3.15) 


We can rewrite the above state as (see Exercise 7.3.6) 


mp—l 


bo) = 3 (Fe d, ler + 6) ja’ mod N). (7.3.16) 


b=0 


where my is the largest integer so that (my — 1)r +6 < 2” — 1 (see Equa- 
tion (7.1.35)). 


6By ‘heuristic’ algorithm, we mean the proof of its running time makes some plausible but 
unproven assumptions. 
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2. Measure the second register. We will get a value a? mod N for b chosen 
almost” uniformly at random from {0,1,..., 7 —1}. The first register will 
be left in a superposition of the form 


— VO [er +). (7.3.17) 


If we were able to implement the OFT: 2 and apply it to the above state 


(recall Section 7.1.2), then we would produce the superposition 


r-1 
—onibs ; 
) e273 |mpj). (7.3.18) 
j=0 
In other words, we will only measure values x such that aa = £ for 
some integer 7. However, since we do not know what r and mp are, we use 


OFT: .: 

3. Apply GF Ts, to the first register, and then measure. Let x denote the 
measured value. 

4. Output 57. 


The rest of the algorithm can proceed identically to the algorithm in 
Section 7.3.3. 


Theorem 7.3.3 The above algorithm outputs an integer x € {0,1,2,..., 2”—1} 
such that for each j € {0,1,2,..., r—1} with probability at least 4, we have 


° rT 
ot) < te 
r 


Therefore, this algorithm solves the problem of estimating an almost uniformly 
random integer multiple of i, 


Exercise 7.3.6 


(a) For every integer x € {0,1,2,..., 2” — 1} show that there are unique integers zz 
and bz where x = zzr + by and 0 < bz <r. 


(b) Using the result of part (a) above, show that Equation (7.3.15) can be rewritten as 
Equation (7.3.16). 


“Note that for the values b satisfying 0 < b < (2” mod r) the probability of measuring a? 


is 4 + ee and for 6 satisfying (2” mod r) < b <r, the probability of measuring a? 
is 4 = eee), In other words, the probability lies in the interval (4 = aa 4 + aa): 
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Note that, as was the case in Simon’s algorithm, since we never use the measured 
value in Step 2, we can ignore that step. Furthermore, a very natural way to 
create the state in Step 1 is to first prepare the state 


27-1 1 
Ivo) = > eleyI1) (7.3.19) 


and then perform the operation that maps |x)|y) + |x)|ya” mod N). 


Thus Shor’s algorithm is implemented by the circuit in Figure 7.15. Note that 
this is exactly the same circuit we described in the previous section. The only 
difference between the two approaches is the basis in which the state of the 
system is analysed. In the previous section we expressed the state of the second 
register in the eigenvector basis. In this section we expressed the state of the 
second register in the computational basis. This equivalence is illustrated in 
Figure 7.16. 


Note that constructing a circuit that implements c-U? : |x)|y) + |x)|ya” mod N) 
is not actually necessary. It suffices to create the state 5°, |x)|a”) 
which can instead be constructed easily using a circuit that implements 
V, : |z)|y)  |x)|y@ a”). Appendix A.6 discusses the relationship between these 
different types of black-boxes. 


Exercise 7.3.7 Show how the order-finding algorithm can be generalized to solve 
a special case of the period finding problem. More specifically, let f : Z — X, for 
some finite set X, be a periodic function with period r. That is, for any x we have 
f(x) = f(@+r) = f(w@+2r) =.... In other words, f(x) = f(y) if rla—y (where r|xz—y 
denotes the condition that r divides x — y ). Furthermore, assume that f(x) # f(y) 
unless r|z — y, so that f(x) = f(y) if and only if rj” — y. Given a black-box Uy that 
maps |x)|0) + |a)|f(a)), describe an algorithm for finding the period of f, and prove 
that it works. 


bl 


|0)°" — QFT ( QFT"! 


a 


IW); UE 


Fig. 7.15 A circuit for implementing the quantum part of Shor’s algorithm. The mea- 


sured string x gives an estimate 5, of a random integer multiple of 2, 
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Equivalence of the two approaches to analyzing the order finding algorithm 


Shor’s Analysis Eigenvalue Estimation Analysis 
Initial |0)|1) dix 0) [ue) 
state 
on dee |2)|1) Dok Dan |@) Ue) 
Ue de Qu. ler + 5)) |a”) ee (x. errit* |) |x) 


orn,’ SelM Lh dab) D.|__fL_)lu) 


rrr r 


m | SoMMUU~ A MUU JL | Dal 


r r 


Jk aoe 
~~ 
—~ 

—— 


aL) 


ror 


Fig. 7.16 Equivalence of Shor’s analysis and the eigenvalue estimation analysis of the 
order-finding algorithm. Each column represents the same state as viewed in each of 
the two analyses at each step of the algorithm. The last line illustrates the state after 
tracing out the second register. In the last two lines of the table, we illustrate the 
amplitudes of the states graphically, by drawing peak where the probability amplitude 
will be concentrated. 


7.4 Finding Discrete Logarithms 


Not all public key cryptosystems in use today rely on the difficulty of factoring. 
Breaking many cryptosystems in use today can be reduced to finding discrete 
logarithms in groups such as the multiplicative group of finite fields or the ad- 
ditive group of points on elliptic curves. Shor also showed how to find discrete 
logarithms in Z;, and the algorithm easily extends to other groups, including the 
widely used elliptic curve groups. 


The discrete logarithm problem in Z> is the following. 


The Discrete Logarithm Problem 


Input: Elements b and a = b¢ in Z,, where ¢ is an integer from {0,1,2,...,r— 
1} and r is the order of a. 

Problem: Find t. (The number ¢ is called the discrete logarithm of b with 
respect to the base a.) 
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As in Section 7.3.3, let Uz be the operator that maps 

Ug :|8) + |sa mod N), s<QN, (7.4.1) 
and let U; be the operator that maps 

Uy :|s) — |sb mod N), s<QN. (7.4.2) 


We assume that we know r, the order of b. 


Because of the quantum factoring algorithm, we assume that we can factor r into 
its prime factors, and we can therefore reduce the discrete logarithm problem 
to the base a to less than logr instances of the discrete logarithms problem for 
elements a’ of prime order (see Appendix A.2). We will therefore assume for 
convenience that r is prime, but the algorithm would also work for composite r 
with a slightly more complicated analysis. 

The operators U, and U; share the eigenvectors |u,) defined in Section 7.3.3, 
with respective eigenvalues e2*'7 and e2*'. The idea is to apply the eigenvalue 
estimation algorithm to estimate® these two eigenvalues accurately enough to 
determine both £ and “™°4"_ Since (unlike with the order-finding problem) 
we know 1, we only need to estimate these eigenvalues with an error of at most 
>; in order to find the correct numerator (which only requires n > logy r + 1). 
In particular, since we know r we do not need to apply the continued fractions 
algorithm (which used n > log} r +1). If k 4 0 (which occurs with probability 
1- +) we can simply compute 


t = k~'kt mod r = (k mod r)~'(kt mod r) mod r. (7.4.3) 


Thus, we can apply the eigenvalue estimation algorithm twice, as shown in Fig- 
ure 7.17 in order to find discrete logarithms. 


The circuit in Figure 7.17 maps |0)®"|0)®"|u;,) to |#) | emed ey leap), Therefore 
starting with |0)®"|0)®"|1) = |0)®”|0)®”" 3-76 |u,) yields the state 


r-1 


| £)|Aemee ry lay,). (7.4.4) 
k=0 


Tracing out the last register, the first two registers are in an equally weighted 


mixture of the states EEE mod’) for k € {0,1,...,r—1}. 


8In fact, by Theorem 7.1.1, since we know r, we efficiently approximate the QFT, with 
arbitrary precision. Thus we could assume for convenience that we can implement the QFT, 
and QFT;? exactly, which allows us to obtain k and kt mod r exactly. We will make this 
assumption for the hidden subgroup algorithm later, but for this section we will stick with 
QFT2n which we have shown how to implement in detail. 
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Note that with probability at least (2 the two values x and y that are mea- 
sured will simultaneously satisfy 


x k 1 
Se aloe (7.4.5) 
and 
kt mod r 1 
on a Soe (7.4.6) 
In other words, 
cr r 
= k| <5 (7.4.7) 
and 
Fa — kt mod r| < — (7.4.8) 


Thus if we choose n so that 2r < 2”, we can determine the integers k and 


kt mod r by simply rounding off 5; and 34 to the nearest integers. 


In summary, the quantum circuit shown in Figure 7.17, followed by the above 
post-processing will find the correct value of t with probability at least a (S= 
0.657°—. As with the order-finding circuit, this quantum circuit requires only 


O((log N)? log log(NV) log log log(V)) elementary quantum gates. 


The discrete logarithm algorithm is summarized below. 


Discrete Logarithm Algorithm 


1. Initialize two n-qubit register to |0)®". Call this these the first and second 
control registers respectively. 
2. Initialize an n-qubit register to |1) = |00...01). Call this the target regis- 
ter. 
. Apply the QFT to each of the first and second registers. 
. Apply c-U® to the target register and first control register. 
. Apply c-U to the target register and second control register. 
. Apply the QFT~! to each of the first and second registers. 
. Measure the first register to obtain an estimate 57 of & for a randomly 
selected k € {0,1,..., r—1}. 
8. Measure the second register to obtain the estimate # of Kt mod 7 (for the 
same k as obtained in the previous step). 


NOD OB W 


9. Round off 5% to the nearest integer y. Round off $ to the nearest in- 
teger . If = 0, output ‘FAIL’. If ¢ 4 0, compute ¢ = 7%! mod r. If 


b= a! mod p, then output t. Otherwise, output ‘FAIL’. 
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Fig. 7.17 A circuit for finding the discrete logarithm of a to the base b. The 
value x measured at the first register provides the estimate 5; of & for a random 
k € {0,1,...,7 — 1}, and the outcome measured at the second register provides an 


estimate of (Kt mod 7) for the same random k. 


As was the case with the order-finding algorithm, the discrete logarithm algo- 
rithm will work for any group for which we can represent group elements uniquely 
and perform the group operation. That is, the discrete logarithm algorithm works 
in ‘black-box groups’ (with unique encodings). Thus, this algorithm also applies 
to the additive group of points on an elliptic curve, which is commonly used in 
public-key cryptography. 


Furthermore, it suffices to have any circuit that produces the state 
ey |) ly) |b” a”) (which equals the state in Equation 7.4.4), for example, using 
the mapping Va,» : |x)|y)|z) - |x)|y)|z ® a%b¥) would also suffice (as discussed 
in Appendix A.6). 


The classical and quantum complexities for the discrete logarithm problem are 
summarized below. 


Complexities of the Discrete Logarithm Problem 


e Finding discrete logarithms in FY 
- Quantum complexity is in O((log q)? log log(q) log log log(q)). 
- Best-known rigorous probabilistic classical algorithm has complexity 
in eO (Vlog qlog log q) 
- Best-known heuristic probabilistic classical algorithm has complexity 
in eO (Mog 4) 3 (log log q)3). 
e Discrete logarithms in a black-box group represented with strings of length 
n 
- Quantum black-box complexity (for groups with unique encodings of 
group elements) is O(log r) black-box multiplications and O(n+log? r) 
other elementary operations. 
- Classical black-box complexity is in O(,/7r). 
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The discrete logarithm algorithm was originally discovered by Shor in a manner 
analogous to the order-finding algorithm description in Section 7.3.4. In the next 
section, we show a generalization of the order-finding and discrete logarithm 
algorithms, and analyse it in this way. 


7.5 Hidden Subgroups 


In Section 6.5 we stated a generalized version of Simon’s problem, which is a 
special case of the ‘Hidden Subgroup Problem’. 


The problem can be stated for any group G. 


The Hidden Subgroup Problem 


Let f : G— X map a group G to some finite set X with the property that 
there exists some subgroup S < G such that for any x,y € G, f(x) = f(y) if 
and only if «+ 5 = y+. In other words, f is constant on cosets of S and 
distinct on different cosets. 


Notice how we can rephrase most of the problems we have already discussed, 
along with some other ones, in this framework. 


Hidden Subgroup Problems 


Deutsch’s Problem: 
G = Zo, X = {0,1}, and S = {0} if f is balanced, and S = Zs if f is 
constant. 


Generalized Simon’s problem: 
G=Z3, X = {0,1}", and S is any subgroup of Z. 


Finding orders: 
G=Z, X = any finite group H, r is the order of a € H. The subgroup 
S =rZ is the hidden subgroup of G, and a generator for S' reveals r. 


Finding the period of a function: 

G = Z, X = any set, r is the period of f (see Exercise 7.3.7). The subgroup 
S = rZ is the hidden subgroup of G, and a generator for S reveals the 
period r. 


Discrete logarithms in any group: G = Z,. x Z,, X = any group H. 
Let a be an element of H with a” = 1 and suppose b = a®. Consider the 
function f(#1,%2) = a71b”2. We have f(x1,22) = f(yi, y2) if and only if 
(%1, 2) — (y1, ye) € {(t, -tk),t = 0,1,..., r—1}. The hidden subgroup S$ 
is the subgroup generated by (1, —k) (k is the discrete logarithm). 

Hidden linear functions: G = Z x Z. Let g be some permutation of 
Zn for some integer N. Let h be a function from Z x Z to Zy defined 
by h(z,y) = «+ ay mod N. Let f = goh. The subgroup S is the hidden 
subgroup generated by (—a, 1), and the generator reveals the hidden linear 


function h. 
unction HnG 
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Self-shift-equivalent polynomials: Given a polynomial P in | variables 
X1,X2,..., Xi over Fy (the finite field with q elements), the function f 
which maps (a1,@2,..., @) € F’ to P(X, — a1, X2 — ag,..., X; — az) is 
constant on cosets of a subgroup S' of Fi. This subgroup S$ is the set of 
self-shift equivalences of the polynomial P. 


Abelian stabilizer problem: Let G be any group acting on a finite set 
X. That is, each element of G acts as a map from X to X in such a way 
that for any two elements a,b € G, a(b(x)) = (ab)(x) for all x € X. Fora 
particular element « € X, the set of elements which fix x (i.e. the elements 
a €G such that a(a#) = x) form a subgroup. This subgroup is called the 
stabilizer of x in G, denoted Stg(x). Let f, denote the function from G to 
X which maps g € G to g(x). The hidden subgroup of f, is Stg(x). 


Graph automorphism problem: Consider G = S,, the symmet- 
ric group on n elements, which corresponds to the permutations of 
{1,2,..., n}. Let G be a graph on n vertices labelled {1,2,..., n}. For 
any permutation a € S;,, let fe map S, to the set of n-vertex graphs by 
mapping fa(o) = o(G), where o(G) is the graph obtained by permuting 
the vertex labels of G according to o. For the function fg, the hidden 
subgroup of G is the automorphism group of G. 


Note that for the graph automorphism problem above, the group G is non- 
Abelian.® If we restrict attention to finite Abelian groups, or more generally, 
finitely generated Abelian groups, then we can efficiently solve the hidden sub- 
group problem. Below we outline how the algorithm works for finite Abelian 
groups. 


7.5.1 More on Quantum Fourier Transforms 


We have seen two generalizations of the Hadamard transformation. The first 
was formed by taking the tensor product H®” = H ® H ®---®H of several 
Hadamard transformations. The second generalization was formed by increasing 
the dimension of the single system, giving the QFT y, for arbitrarily large N, 
where QFT, = H. 


We can perform both type of generalizations at the same time, giving us 
QFTS” = QFTy @ QFTy ®--: @ QFTy or even more generally QFTy, ® 
QFT y, ®---@® QFTy,, for possibly different N;. 


Note that 
QFT y, ®@ QFTy, ®---@ QFT y, (7.5.1) 


operates on the vector space Hy, © Hy, ®--: © Hy,, and we also denote it as 


9A group is said to be Abelian if for any two group elements x,y, we have ry = yx (i.e. if 
the group operation is commutative). TEAM LinG 
In 


148 ALGORITHMS WITH SUPERPOLYNOMIAL SPEED-UP 


We can verify that 


sf Ue A: ¥2e2 fiat TRVk 
QFT yy, No,...,N,l@1)|@2) ++ |2e) = So etm tha tte ls Vigo) «+ [apa 


(Y1sYQres Vk) 


€Zn, XZNo xZn, 
(7.5.2) 
If Nj = Nog =--- = Nz we can more compactly write 
1 ni 
@k Tiy, 
OMI) = age ee (7.5.3) 
yeZr 


where x-y = %1y1 + Cayo +--- + Ueyp mod N. 
Let S$ be any subgroup of Z%,, and define 
=a S>\s) (7.5.4) 
[S| ses 


We let S+ denote {t : t-s = 0 for all s € S}. We can verify that QFT2*|S) = 
dete gs [t). For any b € Zk, we define b+ S = {b+s:s€ S}, and 


Ib+S 


(7.5.5) 


7B dU lbs 
G ses 
We can verify that QFT?*|b + S$) = IE tes € tb iE) 


More generally, we can consider any Abelian group G = Zn, X Zn, X ++: X ZN, 
and for any subgroup S < G, we aa define 


= a5 S~ Is) (7.5.6) 


ses 
and for any coset b+ S of S we define 
b+ 5)=S-|b+s). (7.5.7) 
ses 


We can define S~ to be the set {t : 472+ 'S2+---+ 45" = 0 mod 1 for alls € S}, 
where x = 0 mod 1 if x € Z. Another way of expressing the condition that 


t t t 
BAST ag OR + — =0 mod 1 (7.5.8) 


is to say that 


=1. (7.5.9) 


For convenience, let us denote 


-(t,s tos tps 
ami ( 4 Red 4.4 “ek ) 
Ny tong tet oN, i 


xt(S) =e (7.5.10) 


For the reader familiar with group representation theory, the function x4 is a 
character of the Abelian group G, and for Abelian groups there is a one-to-one 
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correspondence between G and the characters of G by the obvious correspon- 
dence t > x¢. The QFTg maps |x) > ) cq Xy(x)|Y)- 


One important observation is that 


QFTG'|b+ 5) = S> xe(b)|t). (7.5.11) 
test 


Exercise 7.5.1 Prove Equation (7.5.11). 


7.5.2 Algorithm for the Finite Abelian Hidden Subgroup Problem 


For convenience, we will assume that we can efficiently perform the QFT , ex- 
actly for any N. In practice, we can perform it with arbitrary precision, as we 
described in Theorem 7.1.1 


Let N = J], Nj. Let N = pj*p5?...p/' be the prime factorization of N, and 
letn = >> ;7j- We have the following algorithm for the finite Abelian hidden 
subgroup problem. We let 7{x denote the Hilbert space of the output register of 
Uy. 


Algorithm for the Finite Abelian HSP 


1. Set z= 1. 
2. Start with 


|0)|0)---|0)/0) € Hn, ®@ Hn, @...@ HN, @Hx. (7.5.12) 


3. Apply QFT y, No, 
4. Apply Uy; to create the state 


nv, to the input registers. 


2 bx) F 00). (7.5.13) 


. (optional) Measure the second register. 

-1 

- Apply QFT Ny No... 

. Measure the first register to obtain a value t;. 

. Ift <n+4, increment i and go to Step 1; otherwise proceed to Step 7. 
. Find generators k;,k2,... for the solution space of the equation 


n, to the input registers. 


Oo OND oO 


Tx? =0mod1 (7.5.14) 


‘ ‘ , . tir te te 
where T is the matrix whose ith row is (5+, y,---, Wo): 


10. Output kj, ko,.... 
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Note that the group G = Zy, x Zn, x --: X Zn, can be partitioned into the 
cosets y + S of the subgroup S, and we can rewrite the state in Step 3 as 


SY“ ly + S)IF(y)) (7.5.15) 


where the summation is over a set of coset representatives. Thus the (optional) 
measurement in Step 4 will leave the first register in a random coset state |y +S). 
As we saw in Equation 7.5.11, the final Ori, produces a uniform superposi- 
tion of elements of $+ (where the value of the coset representative y is encoded 
in the phase factors). Thus the values tj; we measure in Step 7 will be ele- 
ments of S+ and thus satisfy the linear equation in Equation 7.5.8. With high 
probability (see Theorem 7.5.1), the values t1, t2,..., tr44 will generate $+, in 
which case the elements of S will be the only solutions to the linear system in 
Equation 7.5.14. The linear system can be solved in time polynomial in n. 


Theorem 7.5.1 The group (t1,t2,..., tr44) generated by the t; is a subgroup 
of K+. With probability at least 2 we have (t1,t1,..., tn4a) = K+. 


The proof of this theorem follows by a similar argument to that used in the proof 
of Theorem A.3.1 in Appendix A.3 (which was used in analysing the zero-error 
version of Simon’s algorithm). 


Corollary 7.5.2 The hidden subgroup Kk of f is contained in the span of 
k,,ko,.... With probability at least 2 we have K = (kj,kg,...). 


Note that we can test if f(k;) = 0 for all 7, and thus we can test if K = 
(ki, ko,...) with n + O(1) evaluations of f. 


Corollary 7.5.3 There exists a bounded-error quantum algorithm for finding 
generators for the hidden subgroup K < G= Zy, X Zn, X ++: X Zn, of f using 
O(log N) evaluations of f and O(log® N) other elementary operations. 


Exercise 7.5.2 Assume that N is prime. 

(a) Find a basis for the Hilbert space spanned by {|f(x)) : x € Z@*} that consists of 
eigenvectors of the maps |f(x)) # |f(x+y)). 

Hint: There is a one-to-one correspondence between these eigenvectors and the elements 


of St. 


(b) Rewrite Equation 7.5.13 by expressing the state of the second register in this new 
basis. 


(c) What is the result of applying the inverse of QOFTS* to the first register, with the 
second register expressed in this new basis? 
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Exercise 7.5.3 Show that the hidden subgroup problem can be efficiently reduced 
to the finite Abelian hidden subgroup problem if G is finitely generated, generators 
91,92,++-; Gn are given, and X is finite. 


7.6 Related Algorithms and Techniques 


The great success of quantum algorithms for solving the Abelian hidden sub- 
group problem leads to the natural question of whether it can solve the hidden 
subgroup problem for non-Abelian groups. This question has been studied by 
many researchers, and quantum algorithms can be found for some non-Abelian 
groups. However, at present, there is no algorithm for most non-Abelian groups, 
like the symmetric group (which would directly solve the graph automorphism 
problem). One can generalize the QFT to non-Abelian groups, and it can be 
implemented efficiently in some cases. However, it is not yet clear if an efficient 
QFT for a group suffices in order to efficiently solve the hidden subgroup problem 
for that group. 


There are also a handful of problems, such as ‘hidden shift’ problems, and approx- 
imating the Jones polynomial, for which quantum algorithms offer a superpoly- 
nomial advantage over the best-known classical algorithms. These algorithms do 
not seem to be a special case of the hidden subgroup problem. 


One very important class of problems, which in fact motivated Feynman to invent 
the notion of a quantum computer, is that of simulating quantum mechanical 
systems. There are quantum algorithms that can simulate quantum mechanical 
systems exponentially more efficiently than any known classical algorithm. 


Last, we have focussed attention on quantum algorithms for solving classical 
problems. But there are many information-processing tasks like entanglement 
concentration and quantum data compression (which we do not deal with in this 
textbook), where both the input and output are quantum, so they cannot be 
done at all using classical computation. 
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ALGORITHMS BASED 
ON AMPLITUDE 
AMPLIFICATION 


8.1 Grover’s Quantum Search Algorithm 


In this section, we discuss a broadly applicable quantum algorithm that provides 
a polynomial speed-up over the best-known classical algorithms for a wide class 
of important problems. 


The quantum search algorithm performs a generic search for a solution to a very 
wide range of problems. Consider any problem where one can efficiently recog- 
nize a good solution and wishes to search through a list of potential solutions in 
order to find a good one. For example, given a large integer N, one can efficiently 
recognize whether an integer p is a non-trivial factor of N, and thus one naive 
strategy for finding non-trivial factors of N is to simply search through the set 
{2,3,4,..., | NJ} until a factor is found. The factoring algorithm we described 
in Chapter 7 is not such a naive algorithm, as it makes profound use of the 
structure of the problem. However, for many interesting problems, there are no 
known techniques that make much use of the structure of the problem, and the 
best-known algorithm for solving these problems is to naively search through the 
potential solutions until one is found. Typically the number of potential solutions 
is exponential in the size of the problem instance, and so the naive algorithm 
is not efficient. Often the best-known classical search makes some very limited 
use of the structure of the problem, perhaps to rule out some obviously impos- 
sible candidates, or to prioritize some more likely candidates, but the overall 
complexity of the search is still exponential. 


Quantum searching is a tool for speeding up these sorts of generic searches 
through a space of potential solutions. 


It is worth noting that having a means of recognizing a solution to a problem, 
and knowing the set of possible solutions, means that in some sense one ‘knows’ 
the solution. However, one cannot necessarily efficiently produce the solution. 
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For example, it is easy to recognize the factors of a number, but finding those 
factors can take a long time. 


We give this problem a more general mathematical structure as follows. We 
assume that the solutions are expressible as binary strings of length n. Define a 
function f : {0,1}" — {0,1} so that f(x) = 1 if x is the binary encoding of a 
‘good’ string (i.e. a solution to the search problem), and f(x) = 0 otherwise. 


The Search Problem 


Input: A black box Uy for computing an unknown function 
Ff: {0,1}" — {0,1}. 
Problem: Find an input x € {0,1}” such that f(a) = 1. 


If the function f is only provided as such a black box, then Q(./2”) applications 
of the black box are necessary in order to solve the search problem with high 
probability for any input (see Section 9.2). Thus quantum algorithms can provide 
at most a quadratic speed-up over classical exhaustive search. 


For convenience, let us initially restrict attention to functions with exactly one 
solution « = w. Let us assume that we wish our procedure to find the solution 
with probability at least 3 for every such function f." 


If we are only allowed to make one query, the best our algorithm can do is to 
guess a solution x; uniformly at random, and then use the query to check if 
f(x.) = 1. If x, is the correct answer, output 21. Otherwise, guess a string x2 
uniformly at random from the set {0,1}” — {v1} and output x2. Note that this 
procedure outputs the correct value x = w with probability =. 


If we have two queries, the best we can do is to continue with the above procedure, 
and use the second query to test if f(a2) = 1. If f(a2) = 1, we output x2, and 
otherwise, we guess a string x3 uniformly at random from {0, 1}" — {a1, 72}, and 
output the guess x3. This procedure outputs « = w with probability 3s. 


If we continue the above procedure, with k queries, for k < 2”, the proce- 
dure will output the correct value « = w with probability ft Note that we 
can guess the correct answer with probability x= without any queries, and that 
each additional query boosts the probability of outputting the correct answer 
by aan 

Consider a quantum version of the naive algorithm that makes a guess without 
making any queries. This procedure guesses the correct answer with probability 


x, and so the quantum version does this with a probability amplitude of re If 


there were some quantum way to boost the amplitude by Tz after each query, 


then we could solve the search problem with only O (v 28) queries. Finding such 


1As pointed out in Appendix A.1, the choice of the value S for the success probability is 
arbitrary. Any constant strictly between 4 and 1 would suffice. 
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a quantum-boosting algorithm is not straightforward since we are constrained 
by laws of quantum mechanics; therefore, we are not able to use handy tools 
like cloning. Grover devised a quantum algorithm that achieves this amplitude 
boosting. 


Grover’s algorithm performs the search quadratically faster than can be done 
classically. If there is exactly one solution, a classical deterministic brute-force 
search takes 2" — 1 queries in the worst case. In fact, any classical algorithm, 
that for any function f finds a solution with probability at least 2, must make 
Q(2”) queries in the worst case. Grover’s quantum search algorithm takes only 
O (V2") = O (22) queries. 

Although this is not as dramatic as the exponential quantum advantage achieved 
by Shor’s algorithm for factoring, the extremely wide applicability of searching 
problems makes Grover’s algorithm interesting and important. In particular, 
Grover’s algorithm gives a quadratic speed-up in the solution of NP-complete 
problems (see Section 9.1.1), which account for many of the important hard 
problems in computer science. We describe Grover’s algorithm in the remainder 
of this section. 


We assume we have a means for recognizing a solution, and therefore, we can 
without loss of generality assume we have a quantum black box Uy for f as 
follows. 


Us = |a)|b) + |x)|b® f(a). (8.1.1) 


Suppose we set the target register |b) (which consists of a single qubit) to |0). 
Then, given a query value x encoded in the query register as |), suppose we 
query Uy. The result is 


|z)|0) —% |x)| f(x) (8.1.2) 


and by measuring the target qubit, we get the answer to the oracle query to f. 
But this is no better than just applying the oracle for f classically. As was the 
case for the QFT algorithms, to gain a ‘quantum advantage’, we need to use 
quantum superpositions. 

We can easily prepare the first register in a superposition of all possible query 


values, In yoy |e) (where N = 2”). 


We can split the sum Tr a |x) into two parts. The first part is a sum over 
all the x for which f(x) = 0; that is, the ‘bad’ x that are not solutions to the 
search problem. Let Xjpaq be the set of such bad x. The second part is a sum over 
all the x for which f(z) = 1; that is, the ‘good’ solutions to the search problem. 
Let Xgooa be the set of such good x. For convenience, let us assume for now that 


there is only one solution, w, so Xgooa = {w}. 
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1 2°%—1 ; es 
aw) + 4/255 me U, | pelwyn 2°=1 Iabyaa)|0) 


Fig. 8.1 The oracle Uy for quantum searching. 


Define the states 


|Ygooa) = |) 


baa) = (8.1.3) 


1 
woh |}. 
N-1 @EXbad 
Suppose we prepare the target qubit of U; in the state |0), and the query register 
in a superposition of the form 


Tr Deco |2) = Tale) t 4/ Xe lWpad)s (8.1.4) 


as shown in Figure 8.1. 


Now with probability = a measurement of the target qubit will give |1), and the 
query qubits will be left in the good state |w). Although this procedure uses the 
quantum superposition principle, it does not make any use of quantum interfer- 
ence and can easily be simulated using classical randomness. This procedure is 
equivalent to simply sampling an input x uniformly at random and computing 
f(x). 

The quantum search algorithm is an iterative procedure that uses quantum in- 
terference to nudge up the amplitude of the good state |w) before measuring the 
query register. 


We saw in Chapter 6 that if we set the query register to some query index |:), 
and we set the target qubit to 3 ((0) —|1)) the effect of the oracle is: 


In) (ee) 2, (1) fa) (ee) , (8.1.5) 


Since the second register is in an eigenstate, we can ignore it, considering only 
the effect on the first register. 


U; : |x) > (-1)F |x), (8.1.6) 


So the effect is to encode the answer to the oracle query in a phase shift (recall 
this idea of encoding an answer in a quantum phase was key to the operation 
of the QFT algorithms as well). It is convenient, for the rest of this chapter, 
to redefine Uy to be the n-qubit operator that performs the transformation of 
(8.1.6). 
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Exercise 8.1.1 Suppose f : {0,1,... N} — {0,1}, with the promise that f(0) = 0. 
Show how one application of an oracle that maps |z) + (—1)/@|x) can be used to 
implement the oracle that maps |x)|b) + |x)|b @ f(z)). 


We will also define an n-qubit phase shift operator Up. that acts as follows: 
Gos re ee (8.1.7) 


This operator applies a phase shift of —1 to all n-qubit states orthogonal to the 
state |00...0). If we denote the vector space spanned by the basis state |0) by 
Vo, then the vector space orthogonal to Vo is the space spanned by all the basis 
states |x) A |00...0), and can be denoted by Vj>. The operator Up. applies a 
phase shift of —1 to vectors in ‘ae 


Now we can define the operator that does the job of increasing the amplitude 
of |Wgooa) = |w). This operator G = HU): HUy is called the Grover iter- 
ate or the quantum search iterate. It is defined by the following sequence of 
transformations. 


The Grover Iterate G 


1. Apply the oracle Uf. 

2. Apply the n-qubit Hadamard gate H. 
3. Apply Uo.. 

4. Apply the n-qubit Hadamard gate H. 


A circuit implementing the Grover iterate is shown in Figure 8.2. Note that the 
target qubit for the oracle operator Us (which we prepared in the eigenstate 
35 (|0) —|1))) is omitted in Figure 8.2, since we are working with the simplified 


definition of Uy as described by Equation (8.1.6) above. 


Now that we have defined the Grover iterate, Grover’s quantum searching algo- 
rithm can be written succinctly as follows. 


G 
Uy H AU A 


Fig. 8.2 The Grover iterate. 
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Grover’s Quantum Search Algorithm 


1. Start with the n-qubit state |00...0). 
2. Apply the n-qubit Hadamard gate H to prepare the state Tal) = 


Sales |x) (where N = 2”). 
3. Apply the Grover iterate G a total of [3 se | times. 


4. Measure the resulting state. 


Grover’s algorithm is shown schematically in Figure 8.3. 


We next show that the Grover iterate G actually does the job of increasing the 
probability amplitude of |w). 


Let 
|b) = H|00...0), (8.1.8) 


consider the action of the operator HUj. H. We have that 
HUpi HH : |) |y). (8.1.9) 


Let Vy denote the vector space orthogonal to |). This space is spanned by the 
states H|x) for x #00...0, and for all such states we have 


HU jit : H\x) + —H|zx). (8.1.10) 


So the operator HUp.1H applies a phase shift of —1 to vectors in Va We can 
therefore denote 
Uys = HUji1 (8.1.11) 


and write the Grover iterate more succinctly as 


G = UysUy. (8.1.12) 


Exercise 8.1.2 Let |) = Fa io |x). Show that the operator HUj1H can be 
written as (2|y)(w| — I). 


Exercise 8.1.3 Prove that any n-qubit state |) that is orthogonal to H|00...0) has 
the sum of its amplitudes equal to 0. 


00...) FA AGAGESAG 


A AAA 


Fig. 8.3 Grover’s quantum searching algorithm. 
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Exercise 8.1.4 Prove that U,,. ‘inverts about the mean’. More precisely, consider any 
superposition 
It) =) acl) 
x 


where 
1 
b= WF > Oe 
is the mean of the amplitudes. Show that Uy. |¢) = )0,,(u — a«)|x). 
Hint: Decompose |¢) as |¢) = aw) + B/b) where |W) is orthogonal to |W). 


Since H|00...0) has only real amplitudes, and the Grover iterate does not intro- 
duce any complex phases, then the amplitudes always remain real. This allows 
us to represent the amplitudes as lines above (for positive amplitudes) or below 
(for negative amplitudes), an axis labelled by the N possible inputs, as done 
in Figure 8.4. Initially, the state is |y) = H|00...0), so the mean value of the 


amplitudes is simply Tt 


After the application of Uy, the amplitude of |w) picks up a —1 phase shift, 
and thus the mean value of the amplitudes shifts down slightly, as illustrated in 
Figure 8.5. 


The operator U,,. can be viewed as an ‘inversion about the mean’, which nearly 
triples the size of the amplitude of |w), and slightly nudges down the amplitudes 
of all the other basis states, as illustrated in Figure 8.6. 

Another application of Ur makes the amplitude of |w) negative again, slightly 
pushing down the mean value of the amplitudes, and the inversion about the 
mean operation adds roughly another Pea to the size of the amplitude of |w) 
and slightly nudges down the amplitudes of all the other basis states. 


\w) 
Mean value y XK 
van ra 
URN a/ 
joo 0) |  |00...10) j11...1) 


Fig. 8.4 Real valued amplitudes represented as lines above and below a horizontal 
axis labelled by the N possible inputs to the search problem. The state |w) depicted 
above is a uniform superposition over all possible inputs. . 
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Mean value 


HEAEAH 


|w 


Fig. 8.5 State after a single application of Uy 


ad 


Ht 


= U;|p) 


(omitting the normalization factor). 


Uy. Us | v) 


Fig. 8.6 Inversion about the mean. 


We can see that roughly sas iterations of the Grover iterate should boost the 
amplitude of |w) to be close to 1. The following is a precise analysis. 


First note that we can write |W) = H|00...0) in terms of |w) and |wpaa) as 


lv) = Fylw) + SF Itbbaa): (8.1.13) 


It is important to observe that starting in the state |W) and repeatedly applying 
Uy and Uy. leaves the state of the system in the subspace spanned by |w) and 
\Wpaa), that is, a 2-dimensional subspace of the N = 2”-dimensional state space. 


In order to analyse Grover’s algorithm, it helps to define two bases for this 


2-dimensional subspace: 


{|w), lWbaa) } (8.1.14) 


and 


{l), 1) } 


(8.1.15) 


where we define the state |) orthogonal to |w): 


1D) = Vf “wt lw) — FqlYbaa).- (8.1.16) 


Note that the mean value of the amplitudes of |W) is 0 (see Exercise 8.1.3). 
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Define @ so that 


it@) ee 
sin(?) = TN’ (8.1.17) 
Then we have cos(#) = ,/*—. 
Note that 
|b) = sin(@)|w) + cos(@)|Vpaa); (8.1.18) 
|) = cos(9)|w) — sin(9)|Wpbaa) (8.1.19) 
and also _ 
|w) = sin(0)|w) + cos(@)|w), (8.1.20) 
[Waa) = cos(8) |b) — sin(6)|) (8.1.21) 


so we can easily convert between the two bases. 
Figures 8.7 and 8.8 illustrate the states |w) and |) in terms of |w) and |wpaa). 


The quantum searching algorithm starts off in the state 
|b) = sin(@)|w) + cos(@)|Ypaa).- 
The operator Uy gives the state 


Uy|b) = —sin(4)|w) + cos()|dpaa) = cos(20)|a) — sin(28)|y) 
illustrated in Figures 8.9 and 8.10. 


I) 
sin(6) | S +  cos(6) | | | | | S 
|w) |Wpaa) 
Fig. 8.7 The state |y) in terms of |w) and |tpaa). Note that @ satisfies sin(@) = Tar 
Iv) 
— cos(6) ‘ —  sin(@) | | | | S 
|w) baa) 


Fig. 8.8 The state |i) in terms of |w) and |paa)- 
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= an + owe | UII ILS 


|w) | Wad) 


Fig. 8.9 The state after one application of Us. Compare with Figure 8.7. 


eee | | | | I | » -sin(26) a 
2) fr) 


Fig. 8.10 The state in Figure 8.9 can be expressed in terms of the {|2), |@)} basis. 
Then the inversion about the mean, Uy, gives the state 
Us Us |b) = cos(26) |) + sin(20) |) = sin(34)|w) + cos(34)|pbaa), 


illustrated in Figures 8.11 and 8.12. 


It is easy to verify by induction that after k iterations of the Grover iterate 
starting with state |) = H|00...0), we are left with the state 


(UsZUs)* |b) = cos(2k6)|b) + sin(2k6)|-)) 
= sin((2k + 1)0)|w) +cos((2k+1)4)|tpaa), (8.1.22) 


illustrated in Figure 8.13. 


Exercise 8.1.5 Verify that for any real number j 


sin((2j + 1)0)|w) + cos((2j + 1))|boaa) = cos(2j9)|b) + sin(250) |). 


In order to have a high probability of obtaining |w), we wish to select k so that 
ae + 1)0) = 1, which means that we would like (2k + 1)6 ~ 5, and thus 
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= eotan|| | |||) ||| sem 
2) I) 


Fig. 8.11 The state after the inversion about the mean. 


|w) . |*hbaa) 


Fig. 8.12 The state in Figure 8.11 expressed in terms of the {|w),|Wbaa) } basis. 


sin((2k + 1)8) \ cos((2k + 1)8) | | | | | | » 
|w) | |Wpaa) 


Fig. 8.13 The state after k iterations of the Grover iterate. 
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Let k satisfy (2k +1)0 = 5 Let k= [k]. 


Note ae (2k + 1)0 = § +e where |e| € O (+). Thus, sin (3 +¢) = cos(e) > 
Lee er=o(s), 


Rounding off 


For any real number x we are using the standard notation [a] and |x| to 
denote the nearest integer greater than x (rounding x ‘up’) and the nearest 
integer less than x (rounding x ‘down’), respectively. 


We also use the notation [2] to denote the nearest integer to x (in the case that 
x is exactly in between two integers, rounding off to either one will do for the 
purposes of this textbook). 


Since in some cases the algorithms we describe require us to se off a real 
number 2, given as an expression like z/N : arcsin( Fz), or Nsin (2 ), it is 
worth mentioning that this is not a computational bottleneck in any of the 
circumstances in which we use it. 


All of the functions that our algorithms need to round off can be efficiently 
approximated with precision € > 0 (i.e. in time polynomial in log(+) and also 
in the description length of x, which is logarithmic in N, M, and z in the above 
examples). That is, for any ¢ > 0, we can efficiently compute an integer y such 
that y—e€ <x <y+1 (an approximate version of |x|), or |y— | < $ +e (an 
approximate version of [:]). 


For simplicity, we will just use the [x], |#], or [x] notation in the description 
of the algorithms with the understanding that if we are concerned with the 
efficiency of the classical part of the algorithm, then an approximate round off 
will suffice. 


Theorem 8. ] 1 Let f be a function with exactly one solution. Let k = |k|, 
for k = ee} +. Running the quantum search algorithm with k applications of 
the Graver ierotion will find a solution to f(x) = 1 with probability at least 


1-0(2). 


The assumption of having only one solution is not necessary. Before analysing 
how the algorithm works when there is more than one solution, we describe a 
more general version of quantum searching. 


8.2 Amplitude Amplification 


Grover’s search algorithm can be generalized substantially to apply to any al- 
gorithm A for ‘guessing’ a solution. In the previous section we had A = H®” 
which guessed the solution by setting up a uniform superposition of all possible 
solutions. More generally, consider any algorithm A that starts with the generic 
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input state |00...0), which can include additional workspace, and maps to some 
superposition of guesses |) = }>., az|x)|junk(x)) which might have some ‘junk’ 
information left in the workspace qubits. That is 


|~) = AjO0...0) = ys a, |x) |junk()). (8.2.1) 


Note that we can naturally split |w) into two parts: 


w) = S> apla)|unk(z))+ S> az|a)junk(x)). (8.2.2) 


LEX good rE Xpaa 


Note that 
Pgood = SS lo,|? (8.2.3) 


BEX good 
is the probability of measuring a good state x, and 


Pbad = S- loa|? =1- Pgood (8.2.4) 


wEXpad 


is the probability of measuring a bad state a. 


If Peood = 1, no amplification is necessary, and if Pgooa = 0, amplification will 
not help since there is no good amplitude to amplify. In the interesting cases 
that 0 < Pgooa < 1, we can renormalize the good and the bad components into 


lteooa) = Joe |) \junk(a )) (8.2.5) 
LEX good 
and 
lboad) = D> vS#=|a)|junk(2)). (8.2.6) 
tEXpad 
We can then write 
Ih) = V/PgooalP good) + VPbaalPbaa) (8.2.7) 
or 
|b) = sin(9)|%gooa) + c0s(4)|bpaa) (8.2.8) 


where 6 € (0, 3) satisfies sin?(0) = pgooa- 


We define a more general search iterate to be Q@ = AUj A~!Uy, which one can 
easily verify to be equivalent to UsU yf, where as before we define Us|) = |v) 
and Uz |¢) = —|¢) for all states |¢) that are orthogonal to |). 
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The state just before the first application of Q is the superposition 
|b) = sin(@)|Weooa) + cos(@)|Wpaa)- (8.2.9) 


For convenience, let us define the state 


|) = cos(9)|Pgooa) — sin() baa) (8.2.10) 


which is orthogonal to |y). Note that 


{|Pgood): baa) } (8.2.11) 


and 
{|v}, |v)} (8.2.12) 
are orthonormal bases for the same 2-dimensional subspace. 


We show that if we start with the state |), then alternately applying Uy and Uy 
leaves the system in the 2-dimensional subspace over the real numbers spanned 
by |%gooa) and |*bpaa). 


Since the amplitudes will be real numbers (any complex phases are absorbed in 
the definitions of |Wgooa), |Wpaa), |W), and |w)), we can conveniently draw the 
states on the unit circle in the plane, as seen in Figure 8.14. 


Note that Uy will map 


sin(9)|Ygooa) + cos(@)|Wpaa) = —sin(9)|Wgooa) + cos(9)|Wpaa); (8.2.13) 


as illustrated in Figure 8.15. 


Z| \Weooa) 
1b) \ 


e 


\@ 
lv) — 


| w bad) 


Fig. 8.14 The states |) = AJ00...0) = sin(@)|tgooa) + cos(9)|{baa) and 
|b) = cos(0)|Heooa) — Sin(@)|paa) illustrated on the unit circle in the plane. 
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|Weooa) 


) - 


Ushi) 


Fig. 8.15 The state Us|) = —sin()|Wgooa) + €08(4)|paa)- 


The action of Uy is most easily seen in the basis 


{l%), |v) }, (8.2.14) 
so it is convenient to first rewrite 
Uf|) = — sin(9)|Pg00a) + €08(8)|Ypaa) (8.2.15) 
= cos(26)|%) — sin(20)|w) (8.2.16) 
and then it is clear that 
Uz Uslb) = Uy (—sin()|%gooa) + cos(9)|*bbaa)) (8.2.17) 
= cos(20)|w) + sin(26) |) (8.2.18) 


and can be expressed in the {|gooa); |Ybaa) } basis as 


Uz Us|v) = sin(34) |Wgooa) + c0s(39)|paa)- (8.2.19) 


This state is illustrated in Figure 8.16. 


Notice that more generally for any real number ¢, the operation Uy does the 
following: 


Us (sin($)|gooa) + cos()|Yvaa)) = — sin(?)|bgooa) + Cos(P)|baa) (8.2.20) 


and so Uy performs a reflection about the axis defined by the vector |Wpaa). 


Similarly, the operation U, Fs does the following in general: 


Uy (sin(¢) |b) + cos(4)|%)) = sin(¢)|b) — cos(¢)|¥) (8.2.21) 
and so Uy performs a reflection about the axis defined by the |). 
TEAM LinG 


AMPLITUDE AMPLIFICATION 167 


|Weooa) 


UyiUys | v) 


\Waa) 


Fig. 8.16 The state Uj Us|~) = sin(30)|Wgooa) + c0s(30)|{paa)- 


|*gooa) 


a 


ef 


| Wad) 


30 


\ UU y.U;|v) 


‘\ 


\ 
\ 


Fig. 8.17 The state UsUj Us |b) = — sin(30)|gooa) + €08(34)|Wbaa). 


Two such refections correspond to a rotation through an angle 20 in the 
2-dimensional subspace. Thus, repeated application of Q = U;U y a total of 
k times rotates the initial state |y) to 


Q* |W) = cos((2k + 1)0)|Wpaa) + sin((2k + 1)8)|Wgooa), (8.2.22) 


as illustrated in Figures 8.17-8.19. 


Searching by amplitude amplification works by applying Q an appropriate num- 
ber of times until the state is such that a measurement will yield an element 
of the subspace spanned by |tgooa) with high probability. It remains to analyse 
how many iterations of Q are needed. 


To get a high probability of measuring a good value, the smallest positive k we 
can choose is such that (2k+1)@ © 3, implying k € 0 (4). Note that for small 6, 
sin(@) ~ @ and since sin(@) = ,/Pgood, searching via amplitude amplification uses 
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|Weooa) / . 
| Wy.0;) WW) 


40 \y) — 


\tbaa) 


Fig. 8.18 The state (UgU;)’ |) = sin(58)|teooa) + cos(54)|Pbaa)- 


|Weooa) | ri 
[(W0))" Wo) 


- okb Iw) 


Fig. 8.19 The state (UtUs)" |b) = sin((2k + 1)0) |Weooa) + cos((2k + 1)8)|Wbaa). We 
choose k so this state is close to |thgooa)- 


1 


av, any classical algorithm 


only? o( _ queries to Uy. Assuming Pgooa = 


would need 2 (45) queries to Ur or guesses uses the algorithm A. 


Exercise 8.2.1 Suppose there are ¢ solutions to f(x) = 1, with 0 < t < N, with t 
known. 


Show how to use amplitude amplification to find a solution with probability at least 5 


using O (/¥) applications of Us. 


?One could do better in the case that Pgood < = by abandoning amplitude amplification 
with A once K exceeds 2” and just exhaustively searching. TEAM LinG 
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You may have noticed that to apply this algorithm we have to know ahead of 
time how many times to apply Q. In the case that A uniformly samples the 
input, this requires knowing the number of solutions to the search problem. 
For more general A it requires knowing the probability with which A guesses 
a solution to f(x) = 1, that is, sin?(@). However, in many search problems of 
interest we will not know in advance how many solutions there are. Later, in 
Section 8.4, we will address this technical problem of searching without know- 
ing in advance how many search iterates are ideal. In the next section we will 
study the related question of approximating the amplitude with which A maps 
|00...0) to the subspace of solutions. In other words, we study the problem of 
estimating the amplitude sin(@) (or equivalently, the probability sin?(@)) when 
A\00...0) = sin(®)|Weooa) + cos(@)|¢baa)- 


Exercise 8.2.2 


Let Uy be a black box that implements Uy : |x)|b) - |x)|b® f(a)). 


(a) Suppose f : {00,01, 10,11} — {0,1} has the property that exactly one string x 
satisfies f(x) = 1. 

Show how to find with certainty the unique x satisfying f(x) = 1 with only one appli- 
cation to Us. 


(b) Suppose f : {0,1} — {0,1}, and the unitary operator A has the property that 
A|00...0) = $0, aa|x)|junk(a)) with the property that the probability of measuring a 
1 


good string z upon measuring A|00...0) is 5. 


Show how to find with certainty the unique x satisfying f(x) = 1 with only one appli- 
cation to Us. 


(c) Suppose f : {0,1}" — {0,1}, and the unitary operator A has the property that 
A|00...0) = 33, ae|x)|junk(«)) with the property that the probability of measuring a 


good string « upon measuring A|00...0) is 5. 


Show how to find with certainty an x satisfying f(x) = 1 with only one application to 
Uf. 


Hint: Add an extra qubit in the state $|1) + (310), and define a new function f (a,b) = 
b- f(x), where b € {0,1}. 


(d) Suppose f : {0,1}” — {0,1}, and the unitary operator A has the property that 
A|00...0) = S°,, a2|x)|junk(x)) with the property that the probability of measuring a 
good string x upon measuring A|00...0) is p > 0. 


Show that if we know p we can define a circuit that finds a solution to f(x) with 
= 


certainty using O ( 7 


) applications of U,. 


Exercise 8.2.3 Suppose we have an algorithm A that outputs a good solution with 
probability + — ¢. Show how one iteration of the search iterate gives us an algorithm 


that succeeds with probability 1 — O(e?). 
Note: There is also an algorithm that succeeds with probability 1 — O(e°). 
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8.3. Quantum Amplitude Estimation and Quantum Counting 


Note that the material in Sections 8.1 and 8.2 on quantum searching and ampli- 
tude amplification are prerequisites to the present section on quantum amplitude 
estimation and counting. 


Suppose instead of being interested in finding a solution to a search problem 
we are interested in counting how many solutions exist. That is, given a search 
space with N elements, indexed by {0,1,..., N —1}, t of which are solutions to 
f(x) = 1, we want to determine t. This is the counting problem associated with 
f. We will also consider the easier problem of approximately counting t. 


As in Section 8.1, let Xpaq be the set of x that are not solutions to the search 
problem, and let Xgooa be the set of x that are solutions to the search problem. 
We again defined |teooa) and |tpaa) as in Equations (8.2.5) and (8.2.6). 


The counting algorithm we describe is a special case of amplitude estimation, 
which estimates the amplitude with which an n-qubit circuit A maps |00...0) 
to the subspace of solutions to f(x) = 1. 


Amplitude Estimation Problem 


Input: 
e The operator A with the property that A|00...0) = sin(®)|Wgooa) + 
cos(9)|Ypaa), O< A < F. 
e The operator Uy that maps |tgooa)  —|Wgooa) and |Wbaa)  |Wpaa)- 
Problem: Estimate sin(@) (or equivalently, sin?(6)). 


Quantum counting is a special case of quantum amplitude estimation, where we 
N-1,. 
choose A so that A|00...0) = Tr yaar) es 


So if A]O) = ar \j) and 0 <t< N, then we have 


N 
|Weooa) z= S- ld) (8.3.1) 
JEX good 
\paa) - S- geal) (8.3.2) 
JEXpaa 


and 
A\00...0) = JF le00a) + 4/ Xt lbpaa)- (8.3.3) 


Thus, we have sin?(9) = £ and thus an estimation of sin?(0) gives us an esti- 
mation of ft. 


3In fact, it suffices that A|O0...0) = Ly N=! 64315) for an od; © [0, 27). 
VN ~j=0 2 Y P5 
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We can consider any n-qubit circuit A so that A|00...0) = Saas a,;|j). Define 
9,0<0< F to satisfy 


S~ |ajl? = sin? 0 (8.3.4) 
JEX good 

S> lajl? = cos? 8. (8.3.5) 
JEXpaa 


We will initially restrict attention to the cases where 0 < sin(@) < 1, and so 
A|00...0) = sin O|gooa) + C08 O|paa)- (8.3.6) 


The cases that sin(@) = 0 and sin(@) = 1 are easily analysed separately. Recall 
that in the non-trivial cases the amplitude amplification Q is a rotation in the 
space spanned by |{paa) and |Wgooa) through an angle 26. So in the subspace 
spanned by {|Wpbaa),|Wgooa) }, Q is described by the rotation matrix 


& 0 —sin . (8.3.7) 


sin@ cos@ 


A simple calculation shows that two independent eigenvectors for this matrix are 


() ; (#4) (8.3.8) 
V2 V2 


with corresponding eigenvalues e’?° and e~’?9, respectively. The above eigenvec- 


tors are expressed in the {|paa), |Ygooa) } basis, and so this means that 


w+) = Zylvvaa) + FylVe00a); 


|w_) _ J5|Ybaa) a 75 |Veooa) (8.3.9) 
are eigenvectors for Q with corresponding eigenvalues e’?? and e~*”°, respectively. 
It is easy to check that 

N-1 
Ip) = In am |x) 
=e Jalw+) +e? Ja|p_). (8.3.10) 


So |w) is an equally weighted superposition of eigenvectors for Q having eigen- 
values ec’? and e~?9. The quantum amplitude estimation algorithm works by 
applying eigenvalue estimation (Section 7.2) with the second register in the su- 
perposition |) = e Falb4) + e? Z|-). This gives us an estimate of either 
20 or —20, from which we can compute an estimate of sin?(@) = sin?(—0). The 
quantum amplitude estimation circuit is shown in Figure 8.20. 


The circuit outputs an integer y € {0,1,2,..., M—1}, where M = 2”, m>1, 


and the estimate of p = sin?(0) is p = sin” (744). 


TEAM LinG 


172, ALGORITHMS BASED ON AMPLITUDE AMPLIFICATION 


-—~<J 
joe ; QFT y, QFT xy, ca 


joe" — A Ge 


Fig. 8.20 Circuit for quantum amplitude estimation where M = 2” applications of 
the search iterate, and thus M applications of U;, are used. A measurement of the top 
register gives a string representing an integer y. The value 2@ is an estimate of either 


M 
20 or 27 — 20. 


Note that if A]00...0) = |¢%gooa), which is the case that = 4, then QA|00...0)= 

—A|00...0). Thus eigenvalue estimation will be estimating the eigenvalue —1 = 

e2"'3 Since M is even, eigenvalue estimation will output y = M with certainty, 

and thus we will determine the correct eigenvalue —1 = e’™ with certainty. So 
1 


our estimate j = sin? (x3) = 1 will be exactly correct with certainty. 


Similarly, if A|00...0) = |¢paa), which is the case that 0 = 0, then QA|00...0) = 
|00...0), and thus eigenvalue estimation will be estimating the eigenvalue 1. 
Thus eigenvalue estimation will output y = 0 with certainty, and we will deter- 
mine the correct eigenvalue 1 = e° with certainty. So our estimate p = sin?(0) = 
0 will be exactly correct with certainty. 


Amplitude Estimation Algorithm 


1. Choose a precision parameter m. Let M = 2”. 

2. Let Q = A~1Up. AU. 

3. Prepare an m-qubit control register, and a second register containing the 
state A|00...0). 

Apply the QF Ty to the first register 

Apply a ae Q”. 

Apply the OFT; to the first register. 

Measure the first register to obtain a string representing some integer 
y € {0,1,..., M-1}. 

8. Output sin 2 (a ae 


el Se oe 


Theorem 8.3.1 For any positive integers k and m, M = 2™, the amplitude 
estimation algorithm outputs p, 0 < p< 1 such that 


. \/p(1 — p qr 
|b — p| < 2nk ~ dee (8.3.11) 


with probably at least + when k = 1 and with probability greater than 
1- aE 3k—1) for k > 2. Ifp = 0 then p = 0 with certainty, and if p= 1 and then 


p = 1 with certainty. 
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Counting with Error in O(v‘1) 


1. Run amplitude estimation with M = [VN] iterations of the search iterate, 
to obtain the estimate p. 
2. Let t = [pN]. Output t. 


Corollary 8.3.2 The above algorithm outputs a value t such that with proba- 
bility at least + we have 


i +11 € Ovi). (8.3.12) 


ltt] < 20 


It is also possible to vary the parameter M and get an approximate counting 
algorithm with the following properties. The tricky part in designing these count- 
ing algorithms that use amplitude estimation as a subroutine is to guarantee that 
we are very unlikely to use a value M/ that turns out to be much larger that was 
necessary. We omit the proofs of the detailed performance of these algorithms. 


Counting with Accuracy ¢ 


1. Set /=0. 

2. Increment | by 1. 

3. Run amplitude estimation with M = 2! iterations of the search iterate, 
and let ¢ = [pN}. 

4. If f=0 and 2! < 2V/N then go to Step 2. 

5. Run the amplitude estimation algorithm with parameter M = peenee4, 
to obtain the estimate p. 

6. Let t = [pN]. Output t. 


Corollary 8.3.3 The above algorithm outputs a value t such that |t — t| < 
et with probability at least 2. The expected number of evaluations of f is in 


O (2 / x). If t = 0, the algorithm outputs t = t = 0 with certainty and f is 


& 


evaluated a number of times in O(VN). 


Exact Counting 


1. Let p, and pz be the results of two independent runs of amplitude estima- 
tion with M = [ 4rvN J. 


2. Let My = [30./(Nai +D(N-Na t+ D]. 
Let My = [30./(Wie (N= Noo dD). 
Let M = min{M,, M3}. 
3. Let p be the estimate obtained by running amplitude estimation with M 


iterations of the search iterate. 
4, Let ¢ = [pN]. Output t. 


TEAM ENG 


174 ALGORITHMS BASED ON AMPLITUDE AMPLIFICATION 


Theorem 8.3.4 The Exact Counting algorithm requires an expected number 
of application of Us in O(,/(t + 1)(N —t + 1)) and outputs the correct value of 
t with probability at least 2. 


We will see in Section 9.2 that this algorithm uses an optimal number (up to a 
constant factor) of applications of Us. 


Exercise 8.3.1 Suppose we are promised that the number of solutions is either 0 or 
some integer t (that we are given). 


Show how to decide whether f has a solution with certainty using O (/ =) applica- 


tions of Uf. 


Hint: Recall Exercise 8.2.2 (d). 


Example 8.3.5 One application of counting is to compute the mean of a function 
g:X —Y, where X is some discrete finite domain, which for convenience we assume 
is {0,1}", and Y is a subset of the real numbers, which we can assume without loss of 
generality is contained in the interval [0, 1). For convenience, we will assume g(x) = sm 
for some integer x € {0,1,... 2”" — 1}. Note that if g : {0,1}” + {0,1} (ie. m = 0), 
then this problem is exactly the counting problem. 


One way to estimate the mean (>>, g(x))/2” of a function g(x) is to estimate the 
amplitude with which an operation A that maps 


|00...0)|0) YS levi g(2)|0) + V9(@)I1)) 


produces a |1) value in the rightmost qubit. 


Exercise 8.3.2 shows how to implement this operator A given a circuit for implementing 
g (equivalently, for implementing f(a) where g(x) = f(x)/2™). 


An alternative method is to express g(x) as the concatentation of n binary functions 
9n—1(#)Gn—2(#)-..go(x). Since g(x) = 97; 2*gi(x), then D7, g(a) = 29,2" D7, gi(2). 
Thus we can first use quantum counting to approximate each )°,, gi(x) with g; and 
then combine the sum estimates to get an estimate of 5°, g(x) equal to 


9 = DiGi. 


Note: If X is continuous, like the interval [0,1], then the integral of well-behaved 
functions g can be approximated arbitrarily well by discretizing the set X, and 
multiplying the mean value of g on those discrete points by the measure of the 
set X. 


Exercise 8.3.2 Suppose you are given a circuit U, for implementing g: {0,1}" 
{0,1,..., 2” —1}, where Us|x)|y) = |x)|y + g(x) mod 2”). 
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1. Show how to implement the operation 


g(x) 


(0) + |1)) lz) (10) Het am |i). 


fe 


PA 


2. Show how to approximate the operation 


j}]0) + fa)y/1 — 22) + M20 


with accuracy in O(5r). 


Hint: Recall the ARCSIN,,.» circuit from Example 1.5.1. 


8.4 Searching Without Knowing the Success Probability 


Recall that the searching and amplitude amplification algorithms described in 
Section 8.1 required k iterations of the search iterate, where k ~ 7;. However, 
if we do not know the value 6, the following procedure gives an algorithm that 


uses O (3) applications of the search iterate without prior knowledge of @. 


Observe that when 0 < sin?(@) < 1, the amplitude estimation network produces 
the state 


ae” (20) b+) + ggl2m — 20) |h_). (8.4.1) 
Since 0 < 6 < 4, then increasing the parameter M = 2” in the quantum 


amplitude estimation algorithm means that |20) and 2m — 20) become better 
estimates of 26 and 27—20, and thus become more orthogonal (since 20 4 27-26 
if 0< 6 <9) 


In fact, if the eigenvalue estimation is done with an m-bit control register, it is 
easy to verify that the inner product between the two estimates is 


\(2n ~ 26|50)| € O (saa) (8.4.2) 


Exercise 8.4.1 Prove Equation 8.4.2. 


Note that once 2” >> 4, the states 20 — 20) and |20) are almost orthogonal. 


If the states were orthogonal, then tracing out the first register leaves the second 
register in the state 


a+) d+] + lb) (b_| (8.4.3) 
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oye" =— QFT QFT7NA : 
a Al) 5 Q* sly 
4 = ~<] 
Alo) & < 
es Q as  €{0,1,......,2"—1} 


Fig. 8.21 The circuit diagram on the left illustrates how the quantum counting circuit 
can be used to search by measuring the second register. Since the first register is 
discarded, this circuit can be simplified to a circuit, illustrated on the right, that applies 
the quantum search iterate Q a total of x times, where z is selected uniformly at random 
from {0,1,...,2’" — 1}. 


and we can easily verify that 
51+) (bel + gb) (b—| = ZlPeo0a) (Dgood| + 3|Pbaa) (bad: (8.4.4) 


Note that the probability of measuring a good solution if we measure the state 


3 Pgood) (Pgooal + 3 |Pbaa) (baal (8.4.5) 


is 


Nie 


However, since |20) and |2n — 20) are not perfectly orthogonal, but have inner 
product in O (sa); we can only say that if we measure the second register of 
the quantum counting algorithm (as illustrated on the left side of Figure 8.21) 


the probability of measuring a good state is in 


; 0 (saa) (8.4.6) 


Exercise 8.4.2 Let |) = 7101) ( 1-10) 4 ‘al1) 75102) ( 1-0) ‘al1) for some 


normalized states |¢1) and |¢2) with the property that |(¢1|¢2)| = e. Find a tight upper 
bound on the probability that measuring the first register in the computational basis 
results in the outcome |0) in the second register. 


If for a fixed m we run this quantum search routine twice,+ then the probability 
of finding a solution is in 3 -O (s47)- 


“Repeating twice is not of fundamental importance. This is just one way to guarantee that 

the probability of success p’ will be strictly above 1 once M > Wen where r is the rate at 
P 

which we increase the interval size M. We want rp’ < 1 because the expected running time 

will depend on the value of the geometric series 7, (rp’)". For simplicity, we choose r = 2 

and thus we wish to boost the probability p’ above 5. Alternatively, we could choose any rate 


1 
r<3: 
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Consider the following procedure: 


Quantum Searching Without Knowing Success Probabilities I 


1. Set m= 1. 

2. Perform eigenvalue estimation with an m-qubit control register. Measure 
the target register to obtain a value |y). If f(y) = 1, go to Step 5. 

3. Perform eigenvalue estimation with an m-qubit control register. Measure 
the target register to obtain a value |y). If f(y) = 1, go to Step 5. Otherwise 
increment m. 

4. If2™ < N, goto Step 2. If 2™ > N, do an exhaustive search to find a value 
y such that f(y) = 1. If no such y is found, output ‘NO SOLUTION’. 

5. Output y. 


Theorem 8.4.1 If @ > 0, the above procedure will output a value y satisfying 
f(y) =1. The expected number of queries to Us and applications of A and A7~' 
used is in O(%) and is never greater than O(N). If 0 = 0, the algorithm uses 
©(N) queries and applications of A and A~! and outputs ‘NO SOLUTION’. 


It is interesting to note that we never use the value of the first register, which 
means that the following algorithm is equivalent to the above algorithm (and, in 
the case A uniformly samples the inputs, this is equivalent to the first quantum 
counting algorithm invented by Brassard, Heyer, and Tapp). 


Quantum Searching Without Knowing Success Probability IT 


1. Set m=1. 

2. Pick a random integer y € {0,1,2,..., 2”"—1} and compute Q¥ A|00...0). 
Measure the register to obtain a value |y). If f(y) = 1, go to Step 5. 

3. Pick a random integer y € {0,1,2,..., 2”-—1} and compute QY A|00... 0). 
Measure the register to obtain a value jy). If f(y) = 1, go to Step 5. 
Otherwise increment m. 

4. If2™ < N go to Step 2. If 2” > N, do an exhaustive search to find a value 
y such that f(y) = 1. If no such y is found, output ‘NO SOLUTION’. 

5. Output y. 


Exercise 8.4.3 Note that the first of the above two algorithms (‘Quantum search- 
ing without knowing success probabilities I’) outputs a solution with probability 4 - 
O (sx) using 2” applications of Us. Devise a quantum algorithm using O(2) appli- 


cations of Uy that outputs a solution with probability in 1—- O ((x5)”). 
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8.5 Related Algorithms and Techniques 


We have mentioned how amplitude amplification is a very broadly applicable 
computational primitive. It can also be applied in more subtle ways to solve 
problems like element distinctness more efficiently than any classical algorithm. 
The element distinctness problem consists of deciding if there exist distinct in- 
puts x and y so that f(a) = f(y), where we are provided with a black box for 
implementing the function /f. 


It is also possible to define continuous time versions of the quantum searching 
algorithm which offer the same quadratic speed-up. Continuous-time computa- 
tional models may or may not be practical to implement directly, but they can 
be simulated efficiently by the quantum circuit model we have described. Such 
alternative models might be a novel way to discover new quantum algorithms. 
One interesting continuous-time algorithmic paradigm is that of adiabatic al- 
gorithms, which are inspired by the adiabatic theorem. For example, one can 
naturally derive an adiabatic searching algorithm that offers the same quadratic 
speed-up provided by amplitude amplification. A more general notion of adia- 
batic computation is in fact polynomial time equivalent to the quantum circuit 
model. 


There are also several ways to derive a quantum equivalent of a classical random 
walk, which we call quantum walks. Quantum walks are another interesting par- 
adigm in which to discover new quantum algorithms. For example, the optimal 
quantum algorithm for element distinctness can be found using a quantum walk 
algorithm. 
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COMPUTATIONAL 
COMPLEXITY THEORY 
AND LOWER BOUNDS 


We have seen in the previous chapters that quantum computers seem to be more 
powerful than classical computers for certain problems. There are limits on the 
power of quantum computers, however. Since a classical computer can simulate a 
quantum computer, a quantum computer can only compute the same set of func- 
tions that a classical computer can. The advantage of using a quantum computer 
is that the amount of resources needed by a quantum algorithm might be much 
less than what is needed by the best classical algorithm. In Section 9.1 we briefly 
define some classical and quantum complexity classes and give some relationships 
between them. Most of the interesting questions relating classical and quantum 
complexity classes remain open. For example, we do not yet know if a quantum 
computer is capable of efficiently solving an NP-complete problem (defined later). 


One can prove upper bounds on the difficulty of a problem by providing an 
algorithm that solves that problem, and proving that it will work within in a 
given running time. But how does one prove a lower bound on the computational 
complexity of a problem? 


For example, if we wish to find the product of two n-bit numbers, computing 
the answer requires outputting roughly 2n bits and that requires Q(n) steps (in 
any computing model with finite-sized gates). The best-known upper bound for 
integer multiplication is O(n log n log log n) steps. 


O, Q, and O Notation 


Let f and g be functions from the positive integers to the real numbers. 
O(f(n)) denotes the set of functions g(n) for which there exists a positive real 
c and integer N so that g(n) < cf(n) for alln > N. 

Q(f(n)) denotes the set of functions g(n) for which there exists a positive real 
c and integer N so that g(n) > cf(n) for alln > N. 
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O(f(n)) denotes the set of functions g(n) that are both in O(f(n)) and in 
Q(f(n)). 


Note: One will often encounter abuses of this notation, such as ‘g(n) = 


O(f(n))’. 


It has proved extremely difficult to derive non-trivial lower bounds on the com- 
putational complexity of a problem. Most of the known non-trivial lower bounds 
are in the ‘black-box’ model (for both classical and quantum computing), where 
we only query the input via a ‘black-box’ of a specific form. We discuss the 
black-box model in more detail in Section 9.2. 


We then sketch several approaches for proving black-box lower bounds. The first 
technique has been called the ‘hybrid method’ and was used to prove that quan- 
tum searching requires 2(,/n) queries to succeed with constant probability. The 
second technique is called the ‘polynomial method’. We then describe a tech- 
nique based on ‘block sensitivity’, and conclude with a technique known as the 
‘adversary method’. All of these techniques have been used to prove interesting 
lower bounds in the black-box model. 


For concreteness, we can assume our classical computing model is the log-RAM 
model, and our quantum computing model that of uniform families of acyclic 
quantum circuits (discussed in Section 1.2 and in Chapter 4). 


9.1 Computational Complexity 


In an attempt to better understand the difficulty of various computational prob- 
lems, computer scientists and mathematicians have organized computational 
problems into a variety of classes, called ‘complexity classes’, which capture some 
aspect of the computational complexity of these problems. 


For example, the class P corresponds to the class of problems solvable on a 
deterministic classical computer running in polynomial time and PSPACE cor- 
responds to the class of problems that can be solved using a polynomial amount 
of space. 


For convenience, we restrict attention to ‘decision’ problems, where the answer 
is either ‘yes’ or ‘no’. Most problems of interest can be reformulated as decision 
problems in a very natural way without losing their intrinsic complexity. For 
example, the problem of factoring any integer N into two non-trivial factors can 
be reduced to O(log N) decision problems of the form ‘Does the integer N have 
a non-trivial factor less than T?’, where T is an additional input we can choose. 


Decision problems can be treated as the problem of recognizing elements of a 
language. This framework of language recognition problems might seem awk- 
ward at first, but much of computational complexity theory has been developed 
using this terminology; so it is useful to be somewhat familiar with it. Below we 
explain this formalism in a bit more detail and define a few of the most common 
complexity classes one will encounter in the quantum computing literature. 
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9.1.1 Language Recognition Problems and Complexity 
Classes 


In order to compute, we need a reasonable way to represent information. Unary 
encoding (i.e. representing the number j by a string of 1s of length 7) is expo- 
nentially less efficient than using strings of symbols from any fixed alphabet of 
size at least 2. Going from an alphabet of size 2 to a larger alphabet of fixed size 
only changes the length of the problem representation by a constant factor. So 
we will simply use the alphabet © = {0,1}. The set &* denotes all finite length 
strings over that alphabet. A language L is a subset of *. In particular, usually 
L is a set of strings with some property of interest. 


An algorithm ‘solves the language recognition problem for L’ if it accepts any 
string x € L and rejects any string x ¢ L. 


For example, the problem of deciding whether an integer n (represented as a 
string of bits) is prime is rephrased as the problem of recognizing whether the 
string representing n is in the language PRIME = {10, 11,010,011, 101,111,...} 
(which consists of the set of all strings representing prime numbers, according to 
some reasonable encoding, which in this case is standard binary encoding). 


As another example, consider the problem of deciding whether a given graph 
x (represented by a string of bits in some reasonable way) is 3-colourable. A 
graph is 3-colourable if it is possible to assign each vertex uv one of three colours 
c(v) € {RED, GREEN, BLUE} so that any two vertices joined by an edge 
are coloured with different colours. Such an assignment of colours is a proper 
3-colouring. This problem is equivalent to recognizing whether the string rep- 
resenting x is in the language 3-COLOURABLE, which is the set of strings 
representing 3-colourable graphs. Note that there are only 6 possible edges 
on a graph with 4 vertices (let us call them v1, v2, v3, v4), namely e; = {v1, v2}, 
€2 = {01,U3},€3 = {U1, Va}, €4 = {v2,U3},€5 = {v2,Va},e6 = {v3, va}. Thus, 
we can naturally represent the graphs on 4 vertices by strings 71 %9%324%5%¢6 
of length 6, by letting x; = 1 if and only if x contains the edge e;. We can 
easily verify that 101111 € 3-COLOURABLE since the c(v1) = RED, c(v2) = 
BLUE, c(v3) = RED, c(v4) = GREEN is a valid 3-colouring as shown in 
Figure 9.1. 


Now that we have shown how to phrase decision problems in terms of recognizing 
elements of a language, we can define various classes of languages. For example, 
we formally define P (‘polynomial time’) to be the class of languages L for 
which there exists a deterministic classical algorithm A running in worst-case 
polynomial time! such that for any input 2 € D* the algorithm A on input z, 
outputs ‘accept’ if and only if « € L. Note that this class does not capture the 
possible advantages of using randomness to solve problems. 


1More precisely, there exists a polynomial p(n) such that A runs for time at most p(n) on 
inputs of length n. 
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V2 
BLUE 


U4 


Fig. 9.1 The above graph zx is represented by the string 101111. Since it is possible to 
colour the vertices with 3 colours so that adjacent vertices are coloured differently, we 
say that x is 3-colourable, or equivalently 101111 € 3-COLOURABLE. 


The class BPP (‘bounded-error probabilistic polynomial time’) consists of all 
languages L for which there exists a randomized classical algorithm A running 
with worst-case polynomial time such that for any input x € * we have 


e if « € L then the probability that A accepts x is at least 


wile wi 


e if « ¢ L then the probability that A accepts x is at most 


It is important to note that when we refer to ‘the probability that A accepts’, we 
are referring to the probability over random choices of paths of the computation 
on the fixed input x € L, and not an average over all x € L. It is also worth noting 
that there is nothing special about Z. Any constant 4+6 , where 6 > 0 will work. 
For any fixed 6, we can repeat the algorithm A a total of n independent times 
and take the majority answer. We now get the correct answer with probability 
at least 1 — «” for some constant €, 0 < € < 1 (see Appendix A.1). 


The class BQP (‘bounded-error quantum polynomial time’) consists of all lan- 
guages L for which there exists a quantum algorithm A running with worst-case 
polynomial time such that for any input x € &* we have 


e if « € L then the probability that A accepts x is at least 


wile Wi 


e if  ¢ L then the probability that A accepts x is at most 


Polynomials have the property that their sum, product, and composition are still 
polynomials. By only concerning ourselves with the computational complexity of 
an algorithm up to a polynomial factor we get a crude but very robust measure 
of computational complexity. Most reasonable changes in architecture one would 
imagine do not affect whether the computational complexity is polynomial or 
not (since using one architecture to simulate another only incurs a polynomial 
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‘blow-up’ in complexity). Thus distinguishing problems that can be solved with 
a polynomial complexity from those that cannot is a distinction that will not 
depend on the details of your computer architecture. 


It is thus convenient to treat algorithms with polynomial complexity as ‘efficient’ 
and problems that can be solved with polynomial complexity as ‘tractable’, and 
problems without polynomial solutions as ‘intractable’. Note that in any com- 
puting model where information cannot travel arbitrarily fast, and where an 
exponential number of operations cannot be crammed into a polynomial sized 
space (e.g. the Turing machine model), the space used cannot be superpolyno- 
mially more than the running time, and so in such computing models, we can 
equate polynomial time complexity with efficiency or tractability. 


For practical purposes, having a polynomial complexity is (almost) necessary for 
being solvable in practice, but might not be sufficient. At the very least, finding 
a polynomial time algorithm is a good start towards finding a feasible solution. 


One type of change in computational model that might drastically change the 
computational complexity is to change the implicit physical framework in which 
the computing model is based. For example, deterministic classical computa- 
tion is implicitly only referring to a deterministic classical theory of physics. 
By adding the possibility of a randomness, we get probabilistic classical com- 
putation. By working in a quantum mechanical framework, we get quantum 
computation. 


We traditionally view decision problems corresponding to recognizing languages 
in BPP as tractable on a probabilistic classical computer, and problems without 
such worst-case polynomial time solutions intractable on a classical computer. 
Analogously, we view decision problems corresponding to recognizing languages 
in BQP as tractable on a quantum computer, and problems without such worst- 
case polynomial time solutions intractable on a quantum computer. 


Some problems seem to elude any efficient solution in the worst-case, such as de- 
ciding whether a given graph is 3-colourable. Note that although it might be very 
difficult to decide if a graph « is 3-colourable, it is very easy to check if a given 
colouring y is a proper 3-colouring. That is, there exists a polynomial time algo- 
rithm CHECK-3-COLOURING (a, b) such that CHECK-3-COLOURING(z, y) = 
1 if and only if y is a valid colouring of the graph x (the algorithm simply goes 
through every edge of the graph x and checks that according to the colouring y 
the two vertices of each edge are coloured differently). 


This property inspires the class NP (‘non-deterministic polynomial time’) which 
consists of all languages DL for which there exists a polynomial time algorithm 
A(a,b) such that for any input x € &* we have 


e if « € L then there exists an input y such that A(z, y) outputs ‘accept’ 
e ifa ¢L then A(z, y) outputs ‘reject’ for all y 


and the length of y is bounded by a polynomial in the length of x. 
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Another way of looking at the class NP is as the class of languages L for which 
for any « € LD a prover can convince a verifier that x is in DL by providing a 
short proof that the verifier can deterministically verify on a classical computer 
using time polynomial in the size of x (the prover’s computation time is not 
bounded). Note that this does not imply that there is a short proof to verify 
some « ¢ L. There are many variations on this class including MA (‘Merlin— 
Arthur games’) where the verifier (Arthur) uses the short proof (provided by 
Merlin) to probabilistically verify on a classical computer that « € L. Clearly 
NP C MA and BPP C MA. Other complexity classes can be defined based on 
interactive proofs, proofs with more than one prover, and proofs using quantum 
computers, quantum communication, or entanglement. We will not cover this 
rich landscape of complexity classes in this textbook. 


There is a special subclass of problems within NP that are called ‘NP-complete’. 
These problems have the property that an efficient solution to any one of these 
problems implies an efficient solution to any problem in NP. More precisely, let 
L be any NP-complete language. Then for any language L’ € NP, there exists 
a Classical deterministic polynomial time algorithm that computes a function 
f: {0,1}* — {0,1}* with the property that « € L’ if and only if f(x) € L. 
In other words, one query to an oracle for solving L will solve any problem in 
NP. Well-known examples of NP-complete problems include circuit satisfiability, 
3-satisfiability (defined below), 3-colouring, the traveling salesman problem (the 
decision version), and the subset sum problem. Integer factorization and graph 
isomorphism are in NP but not believed to be NP-complete. 


We will refer to the NP-complete problem 3-satisfiability (3-SAT) later, so we 
define it here. An instance of 3-SAT is specified by a Boolean formula ® in a 
particular form, called ‘3-conjunctive normal form’ (3-CNF). A Boolean formula 
is in 3-CNF if it is a conjunction (logical AND) of clauses, each of which is 
a disjunction (logical OR) of three Boolean variables (or their negations). For 
example, the following is a 3-CNF formula in the variables 61, b2,..., bg: 


® = (b; V bz V b3) A (by V ba V bs) A (bg V bg V b3). 


A ‘satisfying assignment’ of a particular 3-CNF formula ©® is an assignment of 
0 or 1 values to each of the n variables such that the formula evaluates to 1. 
For example, b1b2b3b4b5bg = 110010 is a satisfying assignment (the first clause 
evaluates to 1 because b; = 1, the second clause evaluates to 1 because bs = 1, 
and the third clause evaluates to 1 because b2 = 1; therefore, the conjunction 
of the three clauses evaluates to 1). The language 3-SAT is the set of 3-CNF 
formulas (represented by some reasonable encoding) for which there exists at 
least one satisfying assignment. Note that given a satisfying assignment, it is 
easy to check if it satisfies the formula. 

The class PSPACE consists of all languages L for which there exists a classical 
algorithm A using worst-case polynomial space such that for any input « € y* 
the algorithm A accepts x if and only if x € L. 
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Fi SPACE 


a NP 3-Colouring, 


+ SAT, etc. 


_ Integer factorization, 
elliptic curve discrete logarithm problem 


~~ Multiplication, 
primality, etc. 


Fig. 9.2 This diagram illustrates the known relationships between some of the most 
important complexity classes. At present, none of the inclusions are known to be strict. 
For example, there is currently no proof that P 4 PSPACE. 


Figure 9.2 illustrates the known relationships between the complexity classes we 
just defined. For example, clearly P C BPP C BQP C PSPACE, and P C NP C 
PSPACE. Unfortunately, to date, there is no proof that any of the containments 
drawn are strict. But it is widely believed that P 4 NP and that NP 4 PSPACE. 
We also expect that BPP 4 BQP. 


Note that resolving the question of whether P = NP is considered one of the 
greatest open problems in mathematics (e.g. it is one of the million dollar 
‘Millennium Problems’ of the Clay Mathematics Institute) 


We have only sketched a very small number of complexity classes. See, for ex- 
ample, Aaronson’s complexity ‘zoo’ for a listing of virtually all the complexity 
classes studied to date. 


The biggest challenge of quantum algorithmics is to find problems that are in 
BQP but not in BPP; that is, to find problems that are efficiently solvable on a 
quantum computer but not a classical computer. The study of these complexity 
classes and the relationships between them can be helpful in understanding the 
difficulty of these problems. 


Most of the interesting lower bounds have been proved in some sort of black- 
box model. The black-box lower bounds we describe in the next sections provide 
some evidence that BQP does not contain all of NP, though the possibility is not 
explicitly ruled out at present. The lower bound methods also prove the optimal- 
ity of several of the black-box quantum algorithms we described in Chapters 6, 
7 and 8. 


9.2 The Black-Box Model 


In the black-box model, the input to the problem is provided by a black-box (or 
‘oracle’) Ox for accessing information about an unknown string X = X1,..., Xn, 
where we will assume the N variables X; are binary. The oracle allows us to make 
queries about the binary values of the individual variables. We usually assume 


TEAM LinG 


186 QUANTUM COMPUTATIONAL COMPLEXITY THEORY AND LOWER BOUNDS 


the quantum black-box implements 


Ox: |9)|b) — |7)|b ® X5). (9.2.1) 


The objective is usually to compute some function F(X) of the string X. Though 
in general the task at hand might be more complicated.? Solving the search 
problem for X is no easier than solving the decision problem for X, which is to 
decide if there exists some j such that X; = 1. This decision problem can be 
thought of as evaluating the OR function of the binary variables X1,..., Xn: 


OR(X1...Xn) = X1V XoV-- VX. (9.2.2) 


A computation in the black-box model is one which computes such a function 
F: {0,1}* — {0,1} given access to the black-box Ox for X. The computation 
can perform any unitary operation (i.e. we do not worry about decomposing 
the unitaries into gates from a finite gate set) and makes queries to the black- 
box Ox. Note that with no queries to Ox, we cannot evaluate any non-trivial 
F(X) since we have no information about the input X. The goal of a black-box 
computation is to extract enough information about X using Ox in order to be 
able to reliably compute F(X). 


The ‘query complexity’ of an algorithm is the number of queries used by the 
algorithm. The query complexity of a problem is the number of queries needed 
in order to solve the problem. The black-box model of computation has proved 
useful both for algorithmic design and for understanding the limitations of algo- 
rithms for certain problems. Most of the algorithms we have seen in this textbook 
are essentially black-box algorithms. For example, the period-finding formula- 
tion of Shor’s algorithm is a black-box algorithm, and the quantum searching 
and counting algorithms are black-box algorithms. In the black-box model, it 
can be shown that (4/7) queries are required to find the period r of a periodic 
function f on a classical computer. A quantum algorithm finds the period with 
high probability using O(1) queries. 


Black-boxes can be replaced with ‘white boxes’, which are circuits that actually 
implement the black boxes. For example, Shor’s order-finding algorithm replaces 
the black box for Uy by an actual circuit that computes the function f(x) = a® 
mod N. 


When we replace black boxes by white boxes, the total complexity of the algo- 
rithm can be upper bounded by TB + A, where T is the query complexity of the 
black-box algorithm, B the computational complexity of actually implementing 
a query, and A the computational complexity of all the non-query operations 
performed by the black-box algorithm. For Shor’s order-finding algorithm, T, B, 
and A are all polynomials in the input size, and thus the running time of the 
algorithm is polynomial. 

?For example, in Section 8.1 we addressed the problem of outputting 7 such that Xj; =. 


This corresponds to having a relation R consisting of pairs (b,j) where X; = b, and wishing 
to sample an element with b = 1. 
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Lower bounds in the black-box model do not automatically carry over to the 
white-box model. However, the query lower bounds do apply to any algorithm 
that only probes the input to the problem in a way equivalent to a black-box 
query. For example, we will prove later that any quantum algorithm for searching 
for a solution to f(a) = 1, where f: {1,2,..., N} — {0,1} must make T € 
0(/N) queries to the black-box for Uy. The quantum searching algorithm solves 
this problem with O(N) queries, and thus any algorithm that tries to find a 
solution to f(a) = 1 and only probes the function f by implementing f(a) must 
have complexity TB + A, for some B > 1 and A > 0. Thus, the computational 
complexity of any algorithm of this form must be in Q(VN). 


For example, consider a 3-SAT formula (defined Section 9.1.1) © in n variables, 


@1,%2,..-, Ln, N = 2”, and let the numbers 1,2,..., N encode the 2” assign- 
ments of the variables 21, 72,..., Up». Define the function fe so that fa(y) = 1 
if setting 71 = y1,22 = Y2,..-, Ln = Yn satisfies the formula ®, and fo(y) = 0 
otherwise. 


We can rephrase the 3-SAT problem as follows. 


Define N binary variables X1,..., Xj such that X; = fo(j) and solve the search 
problem for X = X,Xo,... Xn. The function fs can be evaluated in time in 
O(log® N) for some positive constant c. Thus, quantum searching would find a 


solution in time in O ((log® N) VN). 


Although we are actually given the formula ®, or a circuit for evaluating fa, if 
we restrict attention to algorithms that probe the input only by evaluating fe, 
the query lower bound of 2(VN) proved later in this section applies. In order 
to ‘beat’ these lower bounds, one must exploit the structure of ® in some clever 
way. 


9.2.1 State Distinguishability 


The general approach for proving that T queries are necessary is to show that 
with fewer than T queries, the algorithm cannot reliably distinguish the black- 
box Ox for an input X satisfying f(X) = 1 from the black-box Oy for some 
input Y satisfying f(Y) = 0. Consider any algorithm A that makes T queries, 
and let |¢x) be the state produced by the algorithm A with the oracle Ox and 
let |wy) be the state produced by the algorithm A with the oracle Oy. For the 
algorithm to reliably compute F(X) and FY) it is necessary that the states |x) 
are |~y) are reliably distinguishable. It will be useful to state one of the earliest 
results in the vast literature of quantum state estimation and distinguishability. 


Distinguishing Two Pure Quantum States With Minimum Error 


Input: One of two known states |yx) or |w’y), with the property that 


(ex |by)| = 6. 
Output: A guess ‘X’ or SY’. 
Problem: Maximize the probability 1 — € that the guess is correct. 
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The following theorem is proved in Appendix A.9, which also describes the op- 
timal measurement. 


Theorem 9.2.1 Any procedure that on input |qz) guesses whether Z = X or 
Z=/Y will guess correctly with probability at most 1—¢« = $ + $V 1 — 6?, where 
5 = |(%x|~y)|. This probability is achievable by an optimal measurement. 


There are many other ways of formulating the distinguishability question. For 
example, Helstrom originally addressed this question assuming a uniform prior 
distribution on |¢x) and |wy). The same procedure is optimal in order to maxi- 
mize the expected probability of guessing the correct answer (averaging over the 
inputs). 


As another example, one might want a procedure that outputs ‘z = 2’, ‘z= y’ 
or ‘do not know’, with the guarantee that the procedure is never wrong. In 
this case, for example, the objective might be to minimize the probability that 
it will output ‘do not know’. The literature on quantum state estimation and 
distinguishability is extensive. For the rest of this chapter, we will only need the 
result above. 


9.3. Lower Bounds for Searching in the Black-Box Model: 
Hybrid Method 


Given a function f: {1,2,..., N} — {0,1}, the searching problem is to find 
ay € {1,2,..., N} such that f(y) = 1. This framework is very general as it 
applies to any problem where we can recognize a solution and wish to actually 
find a solution. 


The decision problem is to determine whether or not there exists a solution to 
the search problem. A solution to the searching problem yields a solution to the 
decision problem, so a lower bound on the difficulty of the decision problem 
implies a lower bound on the difficulty of the searching problem. 


In Section 8.1, we saw a bounded error quantum algorithm for solving the prob- 
lem of searching a solution space having N elements, making O(VN) queries to 
the black-box Uf. It is natural to wonder whether we could be even more clever, 
and get a quantum algorithm that solves this problem with even fewer oracle 
queries. We might even hope to get an exponential speed-up. In this section we 
prove a lower bound result showing that Grover’s algorithm is the best possible. 
That is, no black-box search algorithm can solve the searching problem making 
fewer than Q(VN) queries. 


Consider an algorithm making T queries. Without loss of generality it has the 
form shown in Figure 9.3. 


Exercise 9.3.1 Show how the circuit in Figure 9.4 can be simulated by a circuit of 
the form in Figure 9.3 with the same number of black-box queries. 


TEAM LinG 


LOWER BOUNDS FOR SEARCHING IN THE BLACK-BOX MODEL: HYBRID METHOD 189 


oracle { - ios 
query : Ox Ox ~ Ox 
oracle result Up U; eee Ur 


workspace { : 


Fig. 9.3 Without loss of generality, any network which makes T black-box queries is 
equivalent to a network which starts with the state |00...0), applies a unitary operator 


Uo, followed by a black-box query on the first n + 1 qubits, followed by a unitary 
operation U; and so on, with a final unitary operation Ur after the last black-box 
call. 


Ox 


Uo U; 


Ox 


Oooo ooo ooo oo 2 
Sra 


Fig. 9.4 This circuit with two queries done in parallel can be simulated by a 
circuit with two queries performed in series (i.e. a circuit of the same form as 
Figure 9.3). 


Definition 9.3.1 Let X,, denote the string with a1 in position x and 0 elsewhere 
(i.e. Xz =1 and X, =0 for ally # x). Let S={X,: a4 =1,2,..., N} be the 
set of all strings {0,1} with exactly one 1 in the string. 


We will prove the following theorem. 


Theorem 9.3.2 Any bounded-error quantum algorithm that will for each 
X € SU {0} determine whether there exists a j such that X; = 1 must make 
Q(VN) queries to Ox. 


This implies the following corollaries. 


Corollary 9.3.3 Let T C {0,1}% satisfy S$ U {0} C T. Any bounded-error 
quantum algorithm that will for each X € T determine whether there exists j 
such that X; = 1 must make Q(VN) queries to Ox. 


Corollary 9.3.4 Let T C {0,1}% satisfy S C T. Any bounded-error quantum 
algorithm that will for each X € T will find a j such that X; = 1 must make 
Q(/N) queries to Ox. 
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Let us relate these results to the question of solving NP-complete problems, like 
3-SAT, on a quantum computer. Note that there are 20(n*) distinct 
3-SAT formulas ®, each corresponding to a string X € {0,1}, N = 2” (where 
X; = fo(j)). However, there are 2% strings X € {0,1} (where since N = 2”, we 
have 2% >> 20(n*)), So the relevance of a result pertaining to algorithms that suc- 
ceed for all X € {0,1}% to the problem of solving 3-SAT is not so clear. However, 
since the set of all strings KX = X1X2...Xw of the form X,; = fs(j) for some 
3-SAT formula ® contains S U {0}, this lower bound also applies to black-box 
algorithms for 3-SAT. 


Exercise 9.3.2 Prove that the set of all strings X = X,;X2... Xn of the form X; = 
fa(j) for some 3-SAT formula ® in n variables contains S U {0}, the set of all strings 
of length N with at most one 1. 


Corollary 9.3.5 Any bounded-error black-box quantum algorithm that will for 
each 3-SAT formula ® in n variables determine whether there exists a satisfying 
assignment must make Q(VN) queries to the black-box that evaluates fo. 


The proof of Theorem 9.3.2 follows from this lemma. 


Lemma 9.3.6 Any bounded-error black-box quantum algorithm that success- 
fully recognizes the all-zero string and also recognizes at least Q(N) of the strings 
X, € S as being non-zero requires Q(/ N) queries. 


Proof Consider any algorithm that makes T queries. Recall X, is the string 
with exactly one 1, located at position x. 
Let 


N 
[Y5) = 0 ay sly) lov) 
y=l1 


be the state of the quantum computer just before the (j + 1)** query, assuming 
X = 00...0, the all-zeroes string. Let |r) be the final state of the computer 
before outputting the answer. 

For the quantum algorithm to recognize that any string X is not equal to 
0 = 00...0, the T queries must nudge the state of the computer to something 
almost orthogonal to |wr). Let |w7Z) be the final state of the computer querying 
an oracle Ox. 

When querying a black-box Ox, for any non-zero X,, after the jth query, 
the total amount of nudging will be at most 77—6 2|az,n| (see Exercise 9.3.4). 
For the algorithm to successfully recognize the all-zero string with probability at 
least 2 and successfully distinguish a non-zero string X from the all-zero string 
with probability at least z, the total amount of nudging must be greater than 
some constant c > 0.338 (combine Theorem 9.2.1 and Exercise 9.3.3). In other 
words, for each X 4 00...0, say Xz, 


1 z 
loe,e| 2 slllvr) — lr) || 2 


> 
ll 
° 
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So for the quantum algorithm to successfully recognise M of the non-zero 
strings (with bounded probability) as being distinct from the all-zero string, we 


must have 
N T-1 


YY lawal > 5M. 


a=1 k=0 
On the other hand, we know that 5°, |az,x| can not be too big, since 
Y,, @a,k|e)|Gzx) is a quantum state. Since hehe |ax,z|? = 1, the Cauchy—Schwartz 
inequality? implies >, |ax,n| < VN. 


Thus 
N T 
dd lee.n] STV. 
r=1k=0 
M_ 
VN? 


which proves the lemma. 


This implies that T > 


Exercise 9.3.3 Let |¢o) and |¢1) be any two quantum states of the same dimension. 


Prove that 


implies 


Exercise 9.3.4 Let |q7) be the state of the quantum computer on input X, just before 
the jth query, for j € {0,1,..., T— 1}. So |WF41) = U;Ox, |W7). Let |w741) = Uj|v7). 


(a) Prove that 
|leF42) — leFaa)|| < lees 


Note that this means |741) = 7.1) + 8)+41|E;+1) for complex 3;41 and normalized 
state |Fj41), with |@j+1| < 2|ae,;|. 


(b) Let |%;) = D7, ay,j|y)|@y) be the state of the quantum computer that is querying 
the black box Ox for the string X = 00...0 just before the (j + 1)** query. Prove that 


Ill5) — 17) || < 2lae.o| + +++ + 2lae,j—1]. 


9.4 General Black-Box Lower Bounds 


We applied this hybrid method to one particular problem, which corresponds to 
computing the OR of N binary variables. We will describe the next three methods 
in the context of computing an arbitrary function F of N binary variables. 


3The Cauchy-Schwartz inequality implies that for any real numbers aj,a2,..., 
an, b1,b2,..., by we have (a1bj +agb2+---+anby)? < (a? ; a3 pees 4 a2,)(b? } b3 f+++ 4 b2,). 
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We call a function F that is defined for all possible input values in {0, 1} a ‘total 
function’. Otherwise, we say F' is a ‘partial function’. For example, the Deutsch- 
Jozsa problem of Section 6.4 evaluates the partial function F’ defined on strings 
that are either constant or ‘balanced’. We can also view the problem of finding the 
period of a function f as evaluating a partial function. If we represent the periodic 
function f by a bit string of length n2” corresponding to the concatenation of 
f(O)f(1) f(2)... f(2” — 1), then the period-finding problem is only defined on 
strings corresponding to functions f for which f(0), f(1),..., f(r — 1) are all 
distinct, and f(a) = f(x+r) for > 0. We can also call the problem of evaluating 
a partial function a ‘promise problem’, since we are promising that the input to 
the function has some specific form. 


Before we detail the techniques for proving lower bounds in the black box model, 
we will show that quantum algorithms give at most a polynomial advantage over 
classical algorithms for total functions. Thus, in order to get a superpolynomial 
advantage, we need to consider promise problems. 


Definition 9.4.1 The deterministic query complexity D(F) of F is the mini- 
mum number of queries to Ox required by a deterministic classical procedure 
for computing F(X) for any X € {0,1}%. 


Note that the jth index to be queried can depend on the outcome of the previous 
j — 1 queries. 


The quantum equivalent of D(F’) is the exact quantum query complexity Qz(F) 
of F. 


Definition 9.4.2 The exact quantum query complexity Qg(F) of F is the min- 
imum number of queries to Ox required by a quantum algorithm which correctly 
computes F(X) with probability 1 for any X € {0,1}%. 


Exact quantum computation is not as natural a computing model as its classical 
counterpart, since when we translate an exact black-box algorithm into a circuit 
composed of gates from a finite set of gates, the probability of success will not 
usually be exactly one. Furthermore, as is the case with classical computation, 
in practice we can never implement gates exactly, and thus it makes sense for 
any practical purpose to focus attention on bounded-error computations. A more 
relevant quantity is the 2-sided error quantum query complexity Qo(F) of F. 


Definition 9.4.3 The 2-sided error quantum query complexity Qo(F') of F is 
the minimum number of queries to Ox required by a quantum algorithm which, 
on any input X € {0,1}, outputs a {0,1} value that with probability at least 
2 is equal to F(X). 


Theorem 9.4.4 If F is a total Boolean function, then D(F) < 2!7Q2(F)°. 


We say a function F' is symmetric if permuting the bits of X does not change the 
value of F’. In other words, F' only depends on the number of Is in the string X. 
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Theorem 9.4.5 If F is asymmetric Boolean function, then D(F) € O(Q2(F)?). 


What do Theorems 9.4.4 and 9.4.5 mean for the quantum complexity of com- 
puting F’ given a black-box for computing X;? Suppose the best deterministic 
classical strategy for evaluating F(X) requires in the worst case T = D(F) 
queries of the bits of X. Theorem 9.4.4 tells us that any quantum algorithm 
computing F' requires at least to queries, and if F is symmetric then Q(/T) 
queries are required. 


Theorem 9.4.4 tells us that quantum query complexity is at most polynomial 
better than classical query complexity for total functions. 


In order to get a superpolynomial advantage in the black-box model, we need to 
consider ‘partial functions’, which are only defined on a subset of {0,1}. For ex- 
ample, the black-box version of Shor’s period-finding algorithm is only required 
to work on strings X that encode periodic functions. The classical bounded-error 
query complexity for such a partial function is in @(./r) where r is the period, 
while the quantum query complexity is in O(1). The Deutsch—Jozsa algorithm 
is only required to work on ‘constant’ or ‘balanced’ strings X. The classical ex- 
act query complexity of the Deutsch—Jozsa problem is + +1, while the query 
complexity for an exact quantum algorithm is 1 (recall that bounded-error clas- 
sical algorithms only required a constant number of queries, so the gap is not so 
significant in that case). 


All of the methods described below can be adapted to work on partial functions 
as well as total functions. 


9.5 Polynomial Method 


In this section we show how a quantum circuit which queries the string X a total 
of T times will have amplitudes that are polynomials of degree T in the variables 
X 1, X2,..., Xn. If T =0, the amplitudes are independent of the variables, and 
the circuit computes a function that is constant. The higher T is, the more so- 
phisticated the functions that the circuit can compute. In the subsequent section 
we describe several applications of this fact. 


Lemma 9.5.1 Let N be a quantum circuit that uses a total of m-qubits and 
makes T queries to a black-box Ox. Then there exist complex-valued N-variate 
multi-linear polynomials po, p1,..., Pgm-1, each of degree at most T, such that 
the final state of the circuit is the superposition 


for any oracle Ox. 
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Proof Wecan assume that N = 2”. We can assume that the black-box queries 
to Ox are done sequentially and always to the first n + 1 qubits (see Exer- 
cise 9.3.1). Let U; denote the unitary transformation which we apply between 
the jth and (j + 1)" black-box query. We thus have the circuit illustrated in 
Figure 9.3. For the proof, it will help to consider the register in three parts: the 
first n-qubits, the 1 output bit, and the remaining | = m — n— 1 ancilla bits. 
Just before the first black-box application the m-qubits will be in some state 


S- ajor|g0k) + ajir|g1k), 


ijk 


where 0 < j < 2",0<k < 2',b © {0,1}, and the aj, are independent of 
the string X. In other words the amplitudes aj», are polynomials of degree 0 in 
X1,X2,..., Xw. For b € {0,1} we use the notation b = NoT(b) = 1 — b. After 
the first black-box call, we have the state 


x ajor|7Xjk) + ajik|jX jk) 


ik 


= So[G = Xj )ayon + Xjajrw]|GOk) + [1 — Xj ayia + Xjajox]|i1k). (9.5.1) 
j,k 


Therefore, the amplitudes are polynomials in the X; of degree at most 1. 
The unitary operation U, is linear, and thus the amplitudes just after Uj is 
applied are still polynomials of degree at most 1. Suppose that for some j > 1, 
after U;_1 is applied the amplitudes are polynomials of degree at most j — 1. 
Then, the jth black-box call adds at most 1 to the degree of the amplitude 
polynomials so they are of degree at most j7. The U; replaces the amplitude 
polynomials with linear combinations of amplitude polynomials, and thus the 
degrees remain at most j. By induction, the amplitudes are polynomials of degree 
T after Ur. Since 2? = x for x € {0, 1}, we can assume the polynomials are multi- 
linear. 


We get the following corollary from the fact that if the amplitudes of a basis 
state is a polynomial a(X) of degree T in the variables X1, Xo,..., Xn, then 
the probability of measuring that basis state, a(X)a(X)*, will be a polynomial 
of degree 2T with real coefficients. 


Corollary 9.5.2 Let N be a quantum circuit that makes T queries to a black- 
box Ox, and B be a set of basis states. Then there exists a real-valued multi-linear 
polynomial P of degree at most 2T’, which equals the probability of observing a 
state from the set B after applying the circuit N using black-box Ox. 


9.5.1 Applications to Lower Bounds 


Let us start by defining the quantities deg(F’) and deg(F) related to the N- 
variate function F’. Although the function F' is only defined on values of 0 and 
1, it is useful to extend this function to the reals. 


Definition 9.5.3 An N-variate polynomial p: RY — R represents F if p(X) = 
F(X) for all X € {0,1}%. 
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Lemma 9.5.4 Every N-variate function F : {Xj,..., Xn} — {0,1}, has a 
unique multi-linear polynomial p: RN —> R which represents it. 


Proof The existence of a representing polynomial is easy: let 


pX)= SY. FY) [J [1-(% - Xe)’I. 


Ye{0,1}% 


To prove uniqueness, let us assume that pi(X) = p2(X) for all X € {0,1}%. 
Then p(X) = pi(X) — p2(X) is a polynomial that represents the zero function. 
Assume that p(X) is not the zero polynomial and without loss of generality, let 
aX 1X2... X, be a term of minimum degree, for some a 4 0. Then the string 
X with X; = Xo =--- = X,; = 1 and the remaining X; all 0 has p(X) =a £0. 
This contradiction implies that p(X) is indeed the zero polynomial and p; = po. 


The degree of such a p is a useful measure of the complexity of F. 


Definition 9.5.5 The degree of the polynomial p which represents F' is denoted 
deg(F). 


N 
For example, the OR function is represented by the polynomial 1 — [| (1 — X;) 
j=l 
which has degree N. Thus deg(OR) = N. 


In practice, it would suffice to have a polynomial p which approximates F' at 
every X € {0,1}. For example OR(X1, X2) © $(X1 + X2). 


Definition 9.5.6 An N-variate polynomial p: RN — R approximates F if 
|p(X) — F(X)| < 3 for all X € {0,11%. 


The minimum degree of such a polynomial p is another useful measure of the 
complexity of F. 


Definition 9.5.7 The minimum degree of a p approximating F' is denoted 
deg(F). 


We have the following theorems relating the quantum query complexities Qz(F) 
and Qo(F’) to deg(F), deg(F). 


Theorem 9.5.8 If F is a Boolean function, then Qp(F’) > deg(F) 


Proof Consider the result of a quantum algorithm for evaluating F’ exactly 
using Qz(F’) queries. By Corollary 9.5.2, the probability of observing 1 is pi(X), 
a polynomial of degree at most 2Qz(F’). We will observe 1 if and only i 
F(X) = 1. In other words p;(X) = F(X) for all X € {0,1}%. This implies 
that 2Qn(F) > deg(F). 
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Theorem 9.5.9 If F is a Boolean function, then Q2(F) > deste) 


Proof Consider the result of a quantum algorithm for evaluating F’ approx- 
imately using Q2(F’) queries. By corollary 9.5.2, the probability of observ- 
ing 1 is p1(X), a polynomial of degree at most 2Qz2(F). If F(X) = 1, then 


pi(X) > §. Similarly, if F(X) = 0 then 1 — p;(X) > 3. In other words 


\pi(X) — F(X)| < § for all X € {0, 1}. which means p; approximates F. 


This implies that 2Q2(F) > deg(F). 


9.5.2 Examples of Polynomial Method Lower Bounds 


We have already seen that deg(OR) = N, and thus Qp(OR) > %. A more 
careful application of the polynomial method actually shows that Qz(OR) = N. 


It can be shown that deg(OR) € @(VN), and thus Q2(OR) € (VN). Note 
that this lower bound is tight (up to a constant factor), since quantum searching 
evaluates the OR function with bounded-error using O(N) queries. 

Consider the MAJORITY function, defined as MAJORITY(X) = 1 if X has 
more than x ones, and 0 if it has fewer or equal to x ones. It can be shown 
that deg(MAJORITY) € O(N). Thus Qo(MAJORITY) € Q(N), so quantum 
algorithms are not very useful for computing majorities. 

A generalization of MAJORITY is the THRESHOLD,, function, defined as 
THRESHOLD y;(X) = 1 if X has at least M ones, and 0 otherwise. It can be 
shown that deg(THRESHOLDy,) € O(,/M(N — M + 1)). Note that this means 
that the exact quantum counting algorithm described in Section 8.3 makes an 
optimal number of queries (up to a constant factor). 


The PARITY function is defined as PARITY(X) = 1 if X has an odd number 
of ones, and 0 if X has an even number of ones. The degree of the PARITY 
function is deg(PARITY) = N, and so Qg(PARITY) > [4]. It can be shown 


deg(PARITY) = N as well, and thus Q2(PARITY) > [%]. 


Exercise 9.5.1 Find a real polynomial of degree N that represents the PARITY func- 
tion. 


Exercise 9.5.2 Show that Qz(PARITY) = Q2(PARITY) = [=] by finding an algo- 
rithm that achieves the bound. 


The polynomial method can be extended to partial functions F’ defined on proper 
subsets S Cc {0,1}% ina very natural way by finding the minimum degree of a real 
polynomial P that satisfies |F(X) — P(X)| < 5 on all X € S and 0 < P(X) <1 
for all X € {0,1}%. 
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For example, the minimum degree of a polynomial representing OR on inputs 
with at most one 1 is still in Q(/VN) and thus the polynomial method provides 
another proof of Theorem 9.3.2. 


9.6 Block Sensitivity 


Intuitively, one expects functions that are very sensitive to changes of the values 
of almost any of the bits in the string X will require us to probe more bits 
of X than functions which are relatively indifferent to such changes. One way 
of rigorously capturing this concept of sensitivity is by the notion of the block 
sensitivity of F’. 


Definition 9.6.1 Let F : {0,1}% — {0,1} be a function, X € {0,1}%, and 
BC {1,2,..., N} be a set of indices. 


Let X* denote the string obtained from X by flipping the values of the variables 
in B. 


The function F is sensitive to B on X if f(X) 4 f(X®). 


The block sensitivity bsx(F’) of F on X is the maximum number t for which 
there exist t disjoint sets of indices B,,..., Bz, such that F is sensitive to each 
B; on X. 


The block sensitivity bs(F) of F is the maximum of bsx(F’) over all X € {0,1}%. 


Theorem 9.6.2 If F' is a Boolean function, then Qp(F) > ay and 
Qo(F) = pF) 


Intuitively, in order to distinguish a string X from the set of strings Y for which 
F(X) 4 F(Y) (which includes X”: for every block B; to which F is sensitive on 
X), we have to query each of the bsx(F’) blocks B; to be confident that they are 
consistent with X and not X?. This is at least as hard as searching for a block 
which is not consistent with X, which gives a Q(,/bsx(F)) lower bound for any 
X, which implies a lower bound of 2(\/bs(F)) for F. 


We omit a detailed proof of Theorem 9.6.2. A lower bound of 2(,/bs(£’)) can be 
proved by hybrid or polynomial methods, or as a special case of the technique 
we describe in the next section (see Exercise 9.7.4). Note that since we can never 
have more than N blocks, the greatest lower bound that this method can provide 


is O(VN). 


9.6.1 Examples of Block Sensitivity Lower Bounds 


The block sensitivity of the OR function is N because bs(0) = N (each individual 


bit is a block). This proves that Q2(OR) > aN and leads to another proof of 
Theorem 9.3.2. 
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Exercise 9.6.1 Prove that the block sensitivity of the THRESHOLD » function is 
N-M+1. 


This method provides a lower bound of Q(./N — M +1) for computing 
THRESHOLD y,. This lower bound is not tight like the one provided by the 
polynomial method. 


The block sensitivity of the PARITY function is N, giving a lower bound of 
Q(/N) that is also not tight. 


In the next section we describe a more general and powerful method for which 
the block sensitivity method is a special case. 


9.7 Adversary Methods 


Consider any algorithm A that guesses F'(Z) after t calls to a black-box for Z. 
Let |b?) be the state just after the jth call to the oracle for string Z. 


Since this algorithm is trying to compute F(Z) for some unknown string Z, it 
must try to decide whether |Z) € Y = {|¥¥X)|F(Y) = 1} or WZ) € X = 
{\~X)|F(X) = 0}. Thus, a good algorithm will try to make these two sets as 
distinguishable as possible. 

Our goal is to correctly guess F(Z) for any input Z (recall we are interested in 
the worst-case performance). Suppose our algorithm A has the property that for 
any input Z the probability of guessing the correct answer is at least 1—. This 
means that the final stage of A can correctly distinguish |YX) from |") for any 
X,Y with F(X) 4 F(Y) with probability at least 1 — «. By Theorem 9.2.1, we 
know that we must have |(uX|w¥)| = 6 < 2\/e(1 — €). 

Let R be any subset of Y x Y. Notice that before any oracle queries we have 
|e) = |X) for all X,Y and thus 


SS? vd Wea’) = IRI. (9.7.1) 


[by [bX ): 
X,YER 


If after t oracles queries the algorithm always answers correctly with probability 
at least 1 — € we must have 


S> [Xd%)| < 20 — ©) RI. (9.7.2) 


(z,yJER 


If we have € < S, then 


2,/e(1 — ©)|R| < |RI. (9.7.3) 
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In other words, if we define 


Ww? = [ab br 9.7.4 
- © veo Ib; )| (9.7.4) 


(we renormalize it for notational convenience later), then we know that 


ee oS) a A 
7 Vv 11 | VIXTYT] © 


Thus if we can upper bound the rate at which the quantity W! can decrease with 
each oracle query, we will get a lower bound on the query complexity. In other 
words, we wish to prove that there is some value A > 0 so that Wi -WI-1 < A. 
This would imply that t > oa 


We have the following lemma which is proved in Appendix A.5. 


Lemma 9.7.1 Let b and b’ satisfy the following. 


e For every X € X andi € {1,2,..., N}, there are at most b different Y € Y 
such that (X,Y) € R and X; # Y;. 

e For every Y € Y andi € {1,2,..., N}, there are at most b’ different Y € Y 
such that (X,Y) € R and X; # Y;. 


Then W* — W*-! < Vobb’. 


Proof See Appendix A.5. 


This implies the following lemma. 


Lemma 9.7.2 Let F be a function defined on any subset of {0,1}%. Let X = 
{X|F(X) = 0} and Y = {Y|F(Y) = 1}, and RC &X x J, and 6,b' satisfy the 
same hypotheses as in Lemma 9.7.1. Then the number of queries to Oz required 
in order to compute F(Z) with probability at least 1 — € (for constant € < 4) is 


t>|RI (Ges) 9 Eg (9.7.5) 
7 ARG ID ANAL VAY vob 


To get some intuition behind why lower values of b and b’ give a larger lower 
bound on the query complexity, note that to recognize that X € ¥ given the 
black-box Ox, we must rule out all the Y € Y. A single (classical) query to Ox 
can rule out at most b values of Y € Y. Similarly, if we have the black-box Oy, 
a single (classical) query to Oy will rule out at most 0! values of X € ¥. 


A further simplification to this equation is achieved with the help of the following 
lemma. 
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Lemma 9.7.3 Let m and m’ be any integers satisfying: 


e For every X € &X there are at least m different Y € Y such that (X,Y) € R. 
e For every y € Y there are at least m’ different X € X such that (X,Y) € R. 


Then |R| > V/|X||Y|mm’. 


Proof Note that since for each X € ¥ there are at least m strings Y € Y such 
that (X,Y) € R, we must have |R| > m|4|. Similarly, we must have |R| > m’|¥I, 
and thus |R| must be at least as large as the average of these two numbers. Since 
the arithmetic mean of two non-negative real numbers is always greater than or 
equal to the geometric mean of the same two numbers we have 


m|X| +m! 
Lp] > ML DS iz n. (9.7.6) 


This implies the following theorem. 


Theorem 9.7.4 Let F be a function defined on any subset of {0,1}%. Let 
X = {X|F(X) = 0} andy = {Y|F(Y) = 1}, and RC Xx) and b,b' satisfy the 
same hypotheses as in Lemma 9.7.1, and m and m’ satisfy the same hypotheses 
as in Lemma 9.7.1. 


Qo(F) €2 ( | : (9.7.7) 


9.7.1 Examples of Adversary Lower Bounds 
Lower Bound for Searching 
To reprove the lower bound on searching, we can let ¥ = {0}, Y be the set of 


all strings with exactly one 1, and R= 4 x J. It is easy to verify that m= N, 
m! = b=! =1, which gives the Q(VN) lower bound. 


Exercise 9.7.1 Use the adversary method to prove that Q(N) queries are required to 
decide the MAJORITY function with bounded error. 


Hint: Let X be the strings with N/2 ones, and Y be the strings with N/2+ 1 strings. 
Choose the relation R carefully. 


Exercise 9.7.2 Use the adversary method to prove that Q(V) queries are required to 
decide the PARITY function. 
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It is worth noting that all of these lower bounds were already obtained by the 
polynomial or block-sensitivity method. The following lower bound is one which 
has not yet been achieved using the previous methods. 


Lower bound for AND-OR trees 


Consider a function F' consisting of the AND of ORs of the N variables 
X,,Xo,..., Xw taken in groups of size M = /N (for convenience we assume N 
is a perfect square). In other words 


F(X) = (XV X2V---V Xu) A (Xue V X42 V+: V Xam) A-e: 


» A (X(m—1yM41 V X(m-1)M42 V +++ V Xp). 
(9.7.8) 


A nice way of depicting this function is by a tree where the inputs are located at 
the leaves of the tree. Each vertex denotes the operation to apply to the inputs 
coming in from the edges below and are output along the edge above the vertex. 
Figure 9.5 illustrates the AND-OR tree that evaluates F(X). 


In order for F(X) to equal 1, there must be at least one 1 in each OR sub-tree. 


There are bounded-error quantum algorithms for solving this problem using 
O(VN) queries (in Exercise 9.7.3 you are asked to give an algorithm using 
O(VN log N) queries). The straightforward application of the block sensitivity 
or polynomial method gives a lower bound of 2(N*). 


| | % Se P j | a Be / \ \ 
ZT ty U3 Ly Ly+1 Lm+2 UM+3°** Lam LaM+1 L2M+2 L2M+3 °° X3mM LM?—M+1 tM?2—-M4+2 °° * Ly? 
Fig. 9.5 This tree illustrates the computation of the ‘AND-—OR’ function F’. The 
input bits are at the leaves of the tree. Each OR vertex computes the OR of the bits 
along the edges below it, and outputs the answer along the edge above it. All the OR 
outputs are the inputs to the AND vertex, which computes the AND and outputs the 
answer. 
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Fig. 9.6 This diagram illustrates an input X to the AND-OR tree where F(X) = 1. 
Note that each OR has exactly one 1 input, and thus outputs a 1. Thus the AND has 
all 1s as input, and outputs 1. 


Exercise 9.7.3 Give a bounded-error quantum algorithm for computing the AND — 
OR function F on N inputs using O(VN log N) queries. 


Using the adversary method, we get a lower bound of 0(VN). 


Theorem 9.7.5 Any bounded-error quantum algorithm that evaluates F on all 
X € {0,1}% has query complexity in 0(VN). 


Proof Let * correspond to the set of all strings with exactly one 1 in each 
of the M inputs to each OR function (see Figure 9.6 for an example). Let 
correspond to the set of all strings where exactly one OR function has only 0 
inputs (see Figure 9.7 for an example), and the remaining ORs have exactly 
one 1. 

Let R consist of every ordered pair (X,Y) € X x Y where X and Y differ 
in exactly one bit position. 

Then m = VN since for every X € ¥ there are M = VN ones (one per OR) 
that could be flipped in order to give a string Y € Y. Similarly m’ = VN since 
for each Y € JY there is one OR that has all M inputs equal to 0, and flipping 
any one of those M Os to 1 gives a string in ¥. 

Furthermore b = 1 since for each X € &X and each i € {1,2,..., N}, 
there is at most one Y € JY that differs from X in the 7th position. Similarly, 
b' =1. 

Theorem 9.7.4 implies that Q2(F) € 2(,/ 2") = Q(VN). 


The bounded-error classical complexity of F' is in O(N). 
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Fig. 9.7 This diagram illustrates an input X to the AND-OR tree where F(X) = 0. 
Note that one of the ORs has no 1 inputs, and thus outputs a 0. Thus, the AND has 
at least one 0 input and must output a 0. 


Exercise 9.7.4 Prove that the block sensitivity lower bound of Q2(F’) € Q (Vbs(F)) 


can be derived by adversary arguments. 


Hint: Let X consist of a string that achieves bs(F’). 


9.7.2. Generalizations 


There are several ways of generalizing the adversary method we have presented 
in order to get more powerful tools for proving lower bounds. For example, one 
way of looking at the definition of W/ (recall Equation (9.7.4)) is summing over 
all ordered pairs (X,Y) € XY x Y and weighing each pair with some weight 
which we took to be 1 if (X,Y) € R, and 0 otherwise. This suggests a more 
general family of ‘weighted’ adversary methods which indeed have been defined. 
Other methods use spectral or Kolmogorov complexity techniques. A large class 
of these generalizations are in fact equivalent in that they will prove the same 
lower bounds. 
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QUANTUM ERROR 
CORRECTION 


A mathematical model of computation is an idealized abstraction. We design 
algorithms and perform analysis on the assumption that the mathematical oper- 
ations we specify will be carried out exactly, and without error. Physical devices 
that implement an abstract model of computation are imperfect and of limited 
precision. For example, when a digital circuit is implemented on a physical cir- 
cuit board, unwanted electrical noise in the environment may cause components 
to behave differently than expected, and may cause voltage levels (bit-values) 
to change. These sources of error must be controlled or compensated for, or 
else the resulting loss of efficiency may reduce the power of the information- 
processing device. If individual steps in a computation succeed with probability 
p, then a computation involving t sequential steps will have a success probability 
that decreases exponentially as p*. 


Although it may be impossible to eliminate the sources of errors, we can devise 
schemes to allow us to recover from errors using a reasonable amount of addi- 
tional resources. Many classical digital computing devices use error-correcting 
codes to perform detection of and recovery from errors. The theory of error- 
correcting codes is itself a mathematical abstraction, but it is one that explicitly 
accounts for errors introduced by the imperfection and imprecision of realistic 
devices. This theory has proven extremely effective in allowing engineers to build 
computing devices that are resilient against errors. 


Quantum computers are more susceptible to errors than classical digital comput- 
ers, because quantum mechanical systems are more delicate and more difficult to 
control. If large-scale quantum computers are to be possible, a theory of quantum 
error correction is needed. The discovery of quantum error correction has given 
researchers confidence that realistic large-scale quantum computing devices can 
be built despite the presence of errors. 


10.1 Classical Error Correction 


We begin by considering fundamental concepts for error correction in a classical 
setting. We will focus on three of these concepts: (a) the characterization of 
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the error model, (b) the introduction of redundancy through encoding, and (c) 
an error recovery procedure. We will later see that these concepts generalize 
quite naturally for quantum error correction. For the remainder of this section 
we discuss how classical bits of information (in a classical computer, or being 
transmitted from one place to another) can be protected from the effects of 
errors. 


10.1.1 The Error Model 


The first step in protecting information against errors is to understand the nature 
of the errors we are trying to protect against. Such an understanding is expressed 
by an error model. It describes the evolution of set of bits. In analogy to the 
evolution or transformation that occurs on bits when they are being stored, or 
being moved around from one point of the computer to another, it is often called 
a channel. Ideally, we would like the state of our bits to be unaffected by the 
channel (i.e. we do not want a bit to change its value while it is in storage, or 
being moved from one place to another). We say that an error-free channel is an 
identity channel. When errors occur on the bits being stored or moved around, 
the channel provides a description of these errors. Ultimately, we will want to 
consider errors that occur during a computation. To understand error-correction 
methods, it is very useful to first consider the simpler case of just sending bits 
through a channel. 


The simplest classical error model is the bit-flip channel. In this model, the state 
of a bit is flipped with probability p, and is unaffected with probability 1 — p. 
The bit-flip channel is illustrated in Figure 10.1. 


For the bit-flip channel, the probability p of a bit flip is independent of whether 
the bit is initially 0 or 1. A more complicated error model might have a different 
probability of error for bits in the state 0 than state 1. The bit-flip channel we 
consider is one where errors occur independently from bit to bit. More general 
error models would account for correlated errors between different bits. When 
errors described by a given model act on a register of bits in a circuit, we show 
this by a block labeled €°, as illustrated in Figure 10.2. The superscript C is 


> 1 


Fig. 10.1 The classical bit-flip channel. 
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ES 


Fig. 10.2 A block representing the effect of errors on a register in a circuit diagram. 
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Fig. 10.3 Encoding operation taking a logical string b, and an ancilla of bits in the 
state 0, into the codeword benc. 


used to distinguish the classical from the quantum cases, which we will discuss 
later. 


The error model €© is composed of different operations €°%, where each €° 
corresponds to a specific error that occurs with probability p;. 


10.1.2 Encoding 


Once we have a description of an error model, we want to encode information in 
a way that is robust against these errors. This can be done by adding a number 
of extra bits to a logical bit that we wish to protect, and thereby transforming 
the resulting string into an encoded bit. The string of bits corresponding to an 
encoded bit is called a codeword. The set of codewords (one for each of the two 
possible bit values 0 and 1) is called a code. The codewords are designed to add 
some redundancy to the logical bits they represent. The basic idea behind the 
redundancy is that even when errors corrupt some of the bits in a codeword, 
the remaining bits contain enough information so that the logical bit can be 
recovered. 


The above scheme can easily be generalized to encode logical strings of n bits 
directly (rather than by encoding each logical bit independently). A logical string 
b of n bits can be encoded by adding m ancillary bits (in a known state, which 
we will assume without loss of generality to be 0) and then transforming the 
resulting string into an (n + m)-bit codeword, which we will call bene. 


The process of mapping the logical strings b to their respective codewords bene is 
called the encoding operation. In a circuit, we implement the encoding by adding 
some ancillary bits, initially in the 0 state, and then applying some gates. We 
represent this process in a circuit diagram as the Gey», operation, as shown in 
Figure 10.3. 
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Fig. 10.4 After a codeword benc is subjected to some errors, the recovery operation 
R® corrects these errors and recovers the logical string b. 


10.1.3. Error Recovery 


After a codeword bene is subjected to some errors the result is a string benc. We 
want a procedure for correcting the errors in benc and for recovering the logical 
bit (or string) b. This is called the recovery operation. For convenience, we will 
have the recovery operation return the ancilla to the all 0’s state (in general 
this can be achieved by discarding the old ancilla and replacing it with a freshly 
initialized ancilla). The recovery operation is shown in Figure 10.4. 


The recovery operation must be able to unambiguously distinguish between code- 
words after errors have acted on them. Suppose specific errors are represented 
by operations €° (where i ranges over all the possible errors that could occur on 
a codeword). A recovery operation will work correctly from some subset of these 
errors, which we call the correctable errors. Given a code, for a set of errors to 
be correctable by that code, we must have 


EF (Rene) Ey Uae)» Val (10.1.1) 


where & and / are logical strings encoded into the codewords Key and lene and 2, 7 
range over the correctable errors. Equation (10.1.1) is the condition for (classical) 
error correction which says that when any errors act on two distinct codewords, 
the resulting strings are never equal. This means that after the errors, from the 
resulting strings we can unambiguously determine the original codewords. To 
simplify the notation, the identity transformation will always be included in the 
set of errors €© (where no correction should be required). 


Orthogonality conditions of the form in Equation 10.1.1 are possible because 
we assume the errors are described by a finite number of discrete effects and 
not a continuous spectrum of operations (i.e. the errors are like the discrete 
errors we see in digital computation and not like the continuous errors of analog 
computation). 


The condition for error correction is illustrated in Figure 10.5 for a code with 
two codewords, under an error model in which there are four possible errors 
(including the identity). 


10.2 The Classical Three-Bit Code 


To make the above concepts more concrete, here we detail an example of a 
classical error-correcting code known as the three-bit code. The error model we 
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These sets must be 
disjoint 


Oenc 


Fig. 10.5 The error correction condition for a code with two codewords, under an error 
model in which there are four possible errors €°, EY, és EF affecting each codeword. 
The condition is that when any errors act on two distinct codewords, the resulting 
strings are never equal. 


b — L— b b b 
0 —Genc-— b = 0 +—b 
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Fig. 10.6 A circuit for the encoding operation for the classical three-bit code. Recall 
the circuit symbol for the classical CNOT gate from Figure 1.3. 


consider for this example is the bit-flip channel, described in Section 10.1.1. For 
the bit-flip channel the state of a (classical) bit is flipped with probability p, and 
is unaffected with probability 1 — p. 


A simple encoding scheme to protect information from errors introduced by the 
bit-flip channel is to increase the number of bits by adding two ancillary bits, 
and then to encode each bit b as a codeword ben. of three bits, according to the 
rule 


0+ 000 + 000 
1+ 100 111. (10.2.1) 


First two ancillary bits, initially set to 0, are appended to the logical bit to be 
encoded. Then the value of the first bit is copied to the ancillary bits. The result 
is that every bit is represented as a codeword consisting of three copies of itself. 
A circuit for the encoding operation is shown in Figure 10.6. 


After a codeword benc is subjected to the bit-flip channel, the result is a set of 
strings bene which occur with probability ae That is, 


bene = 4 (Denies Pe jt (10.2.2) 
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or explicitly 
000 — { (000, (1 — p)’), 

(001, p(1 — p)*), (010, p(1 — p)*), (100, p(1 — p)?), 

(011, p°(1 — p)), (110, p°(1 — p)), (101, p?(1 — p)), 

(111, p*)}. (10.2.3) 
We want to design a recovery operation that takes b.,, and returns the original 
logical bit string b. First we should verify that such a recovery operator exists, 
by checking that the classical error-correction condition (Equation (10.1.1)) is 
satisfied. For this to hold we will need to restrict the errors so that at most one 


bit flip occurs within each codeword (the strings given in the first two lines of 
(10.2.3)). This is a set of correctable errors. 


Exercise 10.2.1 


(a) Consider the restricted bit-flip error model where at most 1 bit flip can occur within 
each codeword. For the three-bit code described above, show that Equation (10.1.1) 
holds, and so it is possible to unambiguously correct single bit flips using this code. 


(b) Show that under an error model in which 2 or more bit flips can occur within each 
codeword, Equation (10.1.1) does not hold, and so the three-bit code cannot correct 
these errors. 


To recover the logical bit b from the corrupted codewords bene we need to learn 
which specific noise operator has been applied and undo its effect, restoring the 
information. A simple way to accomplish this task is to look at the value of 
each bit, take a majority vote of the three bits and reset all the bits to the 
value resulting from the majority vote. It will not be possible to generalize this 
procedure to the quantum case as it requires measuring all bits and that would 
destroy quantum information. We will instead use a different procedure. We will 
design the error correction procedure to restore the information in the first bit 
and use the last two bits to tell us on which bit the error occurred. This can be 
accomplished by comparing the value of the first bit to the remaining two bits 
in the code. In other words, we compute the parity (exclusive-OR) of the first 
and second bits, and the parity of the first and third bits. If the first bit agrees 
with both the other bits (i.e. both parities are 0), we conclude that no error has 
occurred. Similarly, if the first bit agrees with only one of the remaining two bits 
(and disagrees with the other remaining bit), then the first bit is correct and 
the bit with which the parity was 1 has flipped. In the remaining case that both 
the parities are 1 (i.e. the first bit disagrees with both the remaining two bits), 
we conclude that the first bit must have been flipped. In this last case, we can 
correct the first bit by flipping it back to its original value. Note that we never 
needed to learn the actual value of any bit, only the parities. The parities provide 
enough information to identify the errors that have affected the codeword. This 
information is called the error syndrome. 
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Fig. 10.7 A circuit for the recovery operation for the three-bit code. 


To implement the above recovery operation in a circuit, we first need to compute 
the parity of the first and second bits, and the parity of the first and third bits. 
This can be achieved with a pair of classical CNOT gates controlled on the first 
bit (recall Figure 1.3 to see why this works). After each CNOT gate, the target 
bits equals 0 if its value (before the CNOTs) agreed with the control bit, and 
equals 1 otherwise. Since the first bit is only a control bit for the CNOTs, the 
only way in which the first bit could have been flipped is by an error applied to 
the first bit, in which case (assuming at most one bit flip error) both targets of 
the CNOT gates (parities) will have value 1. So to correct the first bit, we want to 
flip it if and only if the remaining two bits (after the CNOTs) both equal 1. This 
can be achieved with a Toffoli (controlled-controlled-CcNOT) gate. After the first 
bit has been corrected, we must reset the two ancillary bits to their initial value 
of 0. Erasing bit values cannot be done reversibly, but an alternative approach is 
to introduce two fresh ancilla (initialized to 0) and discard (or ignore) the used 
ancilla. A circuit for the recovery operation for the three-bit code is shown in 
Figure 10.7. 


There is a different way to look at the effect of encoding. Instead of looking at the 
behaviour of errors on the encoded state, we can think of the encoding operation 
as transforming the error operators as in Figure 10.8. The effect of the noise can 
be seen as affecting the ancilla by conjugating! the error €°% by the encoding 
operation Gey. and studying its effect on the input (b,0,0). As you will see in 
Exercise 10.2.2, the transformed error £9 " flips the first bit if and only if it also 
flips the remaining two bits. So the first bit can be corrected by applying just 
a Toffoli gate. The Toffoli gate is the new recovery operation RO, and this is 
equivalent to first applying the encoding operation Gey- for the three-bit code, 
and then applying the original recovery operation R© for the three-bit code. 
This point of view tracks the bit of information itself instead of the values of the 
individual bits that form the code. 


Exercise 10.2.2 


(a) Consider the bit-flip channel, restricted to the case that at most one bit flip occurs 
within a block of three bits. For each of the possible errors acting on a block of three 
bits (no bit flip, or a bit flip on the first, second, or third qubit), conjugate the error 
by the encoding operation for the three-bit code (given in Figure 10.6), and compute 


1To conjugate an operator A by another operator B means to multiply A by B~1 on the 
left, and by B on the right, forming B~!AB. 
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Fig. 10.8 We can insert GeeGe the identity) between the error and recovery blocks 
from Figure 10.4. Now we can view the error as being conjugated by the encoding 
operation (shown in the first dashed box on the left), and study the effect of the 
transformed error €@’ on the state of the three bits. The new recovery operator is a 
shown in the dashed box at the right end of the circuit. 


the effect of this transformed error €©’ on the input (b,0,0). (Notice that ee flips the 
first bit if and only if it also flips the remaining two bits.) 


(b) For the Genc and RO operations given for the three-bit code, show that RO = 
R° Gene is the Toffoli gate. 


The recovery operation for the three-bit code above will only succeed if at most 
1 bit flip occurs within each codeword (correctable errors), but this suffices to 
reduce the probability of error. For the bit-flip channel, bits are flipped inde- 
pendently with probability p. So without error correction, this is the probability 
of error on a single bit. When we encode the bit using the three-bit code, the 
probability of two or more bits of a codeword being flipped is 3p?(1 — p) + p3, so 
the probability of an unrecoverable error changes from p to 3p? —2p? (a change in 
the exponent of the error probability). The three-bit code gives an improvement 
as long as 3p? — 2p < p, which happens whenever p < 3 (if p > $, then we could 
modify the three-bit code accordingly by encoding 0 as 111 and 1 as 000). If 
p= 4 then the error channel completely randomizes the information, and there 
is no hope of error correction helping. 


The three-bit code is an example of a repetition code, since codewords are formed 
by simply repeating the value of each logical bit a specified number of times. 
We will see later that simple repetition codes do not exist for quantum error 
correction, but that the idea can be modified to give codes that protect quantum 
information. 


10.3 Fault Tolerance 


In the scheme described in the previous sections, the recovery operation recovers 
the logical string b, and so implicitly decodes the codeword. To protect the 
information from errors in later stages of the computation, we would have to 
re-encode the information again. However, this approach leaves the information 
unprotected between the decoding and re-encoding. 


Another shortcoming of the above strategy is that it implicitly assumes that 
the encoding and error recovery operations are themselves free from errors. The 
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Fig. 10.9 Error correction for the three-bit code without decoding the state. A code- 
word benc = bbb has been exposed to correctable errors, yielding the string benc. The 
first stage of the circuit computes the error syndrome (parities) into an ancilla, and the 
second stage of the circuit corrects the errors in benc based on the syndrome. The hollow 
circles in the controlled gates in the circuit correspond to a 0-control (i.e. conditioned 
on that control bit being 0). 


method described above will have to be modified when we take into account that 
all gates are prone to errors, to ensure that the correction procedure does not 
itself introduce more errors than it attempts to correct. 


A theory of fault-tolerant computation gives procedures for performing computa- 
tions directly on codewords (without the need for decoding), and for performing 
encoding and error recovery in ways that are themselves robust against errors. 
In this section, we describe an error correction scheme that corrects codewords 
directly, without decoding. We will see in Section 10.6 how this approach can 
be extended to realize fault-tolerant quantum computing, by performing all our 
computations directly on the quantum codewords themselves (so the codewords 
are never decoded). 


Recall that for the three-bit code, the recovery operator used a classical CNOT 
gate to compute each of two parities. A CNOT gate computes the parity of the 
two bits it acts on, and puts the resulting parity on the target bit. So the recovery 
operator in Figure 10.7 computes the required parities in place, writing the 
resulting parities onto the last two bits of the codeword. An alternative approach 
is to compute these parities into two additional ancillary bits (leaving all three 
bits of the register initially containing the codeword unaffected). The idea is 
to compute the error syndrome into an ancilla, and then use this syndrome 
information to control a recovery operation R° . Given a corrupted codeword 
bene the recovery operation RO" returns the original codeword bene. The ancilla 
is then discarded, and a freshly initialized ancilla is provided for computing the 
syndrome in the next round of error correction. This scheme is illustrated for 
the three-bit code in Figure 10.9. 


10.4 Quantum Error Correction 


We will now turn to the quantum case and see that it is possible to generalize 
classical error correction despite the facts that 
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1. the quantum evolution is a continuous process as opposed to the classical 
discrete case, 


2. the encoding operation cannot make multiple copies of arbitrary quantum 
states, and 


3. the corruption of encoded quantum state cannot be detected through the 
complete measurement of all the qubits. 


10.4.1 Error Models for Quantum Computing 


When we discussed error models for classical computing, we noted that, in gen- 
eral, errors may not affect bits independently, and so the error models would 
have to account for any correlation between errors on different bits. The same 
is true for errors on quantum bits. It turns out to be simpler to describe codes 
for errors that affect qubits independently, and fortunately the important con- 
cepts for error correction can be understood under these restricted error models. 
For this reason, we will present the theory in the general case, but our exam- 
ples will deal only with error models in which errors occur on single qubits 
independently. 


Errors occur on a qubit when its evolution differs from the desired one. This 
difference can occur due to imprecise control over the qubits or by interaction of 
the qubits with an environment. By ‘environment’, we mean everything external 
to the qubit under consideration. A ‘quantum channel’ is a formal description of 
how qubits in a given setting are affected by their environment. 


The generic evolution of a qubit in the state |0) interacting with an environment 
in the state |E) will yield a superposition state of the form: 


|0)|) + |0)|E1) + 21)|E). (10.4.1) 


That is, with amplitude 3, the qubit remains in the basis state |0) and the 
environment evolves to some state |Z). With amplitude G2 the qubit evolves 
to the basis state |1) and the environment evolves to some state |E2). Similarly, 
when the qubit is initially in state |1) with the environment in state |Z), we have 


[1)|Z) + 83|1)|E3) + Ga|0)|E4). (10.4.2) 


More generally, when a qubit in a general pure state interacts with the environ- 
ment in state |E), we will have 


(a |0) ae a|1))|E) ++ a9 3|0)| £1) + a9 82|1)|E2) + a483|1)|E3) + a1 84|0)|E4). 
(10.4.3) 
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We can rewrite the state after the interaction as 


a9 31 |0)|E1) + 0 92|1)|£2) + a1 83|1)|E3) + a1 94|0)| £4) 
= 5(0|0) + a1|1)) (G1|E1) + 63|Es)) 
+ 3(a0|0) — a4|1)) (41|E1) — 631s) 
+ 3 (a0|1) + 1/0) (62|B2) + B4|E4)) 
+ 4(ao|1) — @1|0)) (G2|H2) — B4|Ba)). (10.4.4) 
Let |) = ao|0) + a1|1). Then we have 


a0) — an|1) = Ziv) (10.4.5) 
Qo|1) — ay|0) = X Zw) (10.4.7) 


and the interaction between the state and the environment can be written as 


lb) |B) 3 |) (G1|E£1) + 83|E3)) + $(Z|v)) (G1|E1) — 63|Es)) 


+ 4(X|v)) (G2|E2) + BalEs)) + $(XZ|b)) (B2|B2) — B4|Es)). 
(10.4.8) 


This represents the most general evolution that can occur on a single qubit, 
whether or not it interacts non-trivially with an environment. 


The interesting point is that a generic continuous evolution has been rewritten 
in terms of a finite number (4 in this case) discrete transformations; with various 
amplitudes (which come from a continuous set) the state is either unaffected, 
or undergoes a phase flip Z, a bit flip X or a combination of both XZ = —1Y. 
This is possible because these operators form a basis for the linear operators on 
a Hilbert space of a single qubit (see Exercise 10.4.1). 


Exercise 10.4.1 Prove that any unitary operation U acting on a composite Hilbert 
space H4® He, where Ha has dimension 2 can be decomposed as U = I ® FE; + X ® 
Ex+Z® Ez+/Y ® Ey for some operators E7, Ex, Ez, Ey. 


Specific errors can be described as special cases of the right side of expression 
10.4.8. For example, suppose we know that the error is a ‘bit flip’, which has the 
effect of the NOT gate X with some amplitude and leaves the qubit unaffected 
(applies the identity) with possibly some other amplitude. This would correspond 
to states of the environment such that (@)|E1) = (@3|E3) and 62|E2) = 64|E4). 
Equation (10.4.8) for the general evolution thus simplifies to 


2b) |B) > Bi |b)|F1) + X Bel) |E2). (10.4.9) 


Single qubit errors resulting from a lack of control leading to an imprecise rota- 
tion of the qubit about the x-axis of the Bloch sphere will have 3)|E1) = cG2|E2) 
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for some constant c, so that the environment’s state factors from the qubit’s 
state and the operator cG2I+ (2X is unitary. In other words, |7)|E) + ((cGol + 
X B2)\W)) ® |E2). The error is then called coherent. When the environment state 
does not factor out, the error will be incoherent. The case where (;|F1) is or- 
thogonal to 32|E>) is the quantum description of the classical bit flip error model 
where the operator X (bit flip) is applied with probability ||? = p and remains 
unaffected with probability |3,|? = 1 —p. The generic evolution of this latter 
case is non-unitary. 


The case of the generic evolution of a qubit can be generalized to the situation 
of a larger quantum system of interest (e.g. a register of qubits in a quantum 
computer) in some logical state |), interacting through some error process with 
an environment initially in state |). Suppose this process is described by a 
unitary operator Ue, acting on the joint state of the system of interest and 
the environment. Then the state of the joint system after the interaction is 
Uerr|t)|E). Its density matrix is 


The density matrix of the system of interest is obtained by tracing out the 
environment: 


Trp(p) = Tre(UerlY)Z EIU.) = SES wlEe? = (104.11) 


7 


where the Ee are operators acting on the system of interest (not including the en- 
vironment). Recall from Section 3.5.3 that the map E€@ : |~)(~| HY, EP lw) (y| 
ee } is a superoperator, and is defined in terms of the Kraus operators Ee . The 
derivation of Equation (10.4.11) is the subject of Exercise 10.4.2. The error model 
is completely described by the €®. 

As an example, the bit-flip error discussed above can be described as the inter- 
action between a qubit and the environment that applies the identity operator 
with probability 1 — p and the X operator with probability p. If the qubit is 
initially in the state |q), then the state after the error process is described by 
the density matrix 


pf = (1—p) |b) (b| + pX|b) (|X. (10.4.12) 


So the Ee describing this error model are 


Ef =JS1-pl (10.4.13) 


Ef = /px. (10.4.14) 


Exercise 10.4.2 Let |W) and |F) be the initial states of a system Q and its envi- 
ronment E, respectively. Derive Equation (10.4.11) by evolving |q) and |E) under a 
unitary operator Uer, and tracing out the environment. 
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Hint: Define Uerr = )> Qp,eSp ® Ee, where {Sp} and {E,} are bases for operators acting 


on the system of interest and the environment, respectively, and get tad in terms of S,, 
Ee, |E), and Qp,c. 


Exercise 10.4.3 Show that the unitarity requirement for the evolution operator of 
the joint system environment state implies that 


>> e8'e2 = 1. (10.4.15) 


10.4.2. Encoding 


Once we have a description of the potential errors, we need to find a way to 
protect the logical states |q) of our quantum system against these errors. As 
in the classical case we will enlarge the system at hand by adding an ancilla 
to the logical states. Without loss of generality, we will assume that our ancilla 
is initialized to |00---0). We then look for transformations that map the joint 
states |W) @ |00---0) to some encoded states |Wenc). The subspace spanned by 
the encoded states will define the code. We will then look for transformations of 
the encoded states so that the effect of the errors on the quantum information 
can be reversed. 


As a first idea for a quantum error-correcting code, we might be tempted to 
do exactly what was done classically for the three-bit code and just make three 
copies of every qubit. The following theorem says a simple repetition code is not 
possible for arbitrary quantum states. 


Theorem 10.4.1 (No-cloning) 


There is no superoperator F that performs 


[2b) (| & |5) (| LW) (| @ |W) (HI (10.4.16) 


for arbitrary choices of |W) (where |s) is some fixed ancilla state). That is, there 
is no quantum operation which can clone an unknown arbitrary quantum state. 


Theorem 10.4.1 is called the no-cloning theorem, and it is fundamental to quan- 
tum information (e.g. quantum cryptography is based on it). It essentially says 
that we cannot build a device that makes perfect copies of arbitrary unknown 
quantum states. The theorem follows from Exercise 10.4.4, and also follows di- 
rectly from the fact that superoperators are linear, but the cloning map is not. 


Exercise 10.4.4 


(a) Suppose we have basis elements S = {|41), |2)} where |21), |2) are orthogonal 
1-qubit states (so (#1 |¢%2) = 0). Describe a circuit using CNOT and 1-qubit gates that 


will clone both |w1) and |q2). TEAM LinG 
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Hint: Use the basis change operator from the computational basis to the S-basis. 


(b) Suppose T = {|ws), |4)} where |73),|4) are non-orthogonal 1-qubit states (so 
(w3|t4) 4 0). Prove that there does not exist a unitary operator on H) @ H2 that maps 


|2)|0) + |4)|e) 
for both |) € T. 
I) ) 
|0) —Uenet— } enc) 
|0) J 


Fig. 10.10 Encoding a single qubit |W) by a three-qubit codeword |tenc). 


In light of the no-cloning theorem, we will have to use a different principle to 
devise an encoding scheme for quantum error correction. Encoding for quantum 
error correction must be implemented via a unitary operator Ugne that acts on 
the state we wish to encode, tensored with an ancilla of some fixed number of 
qubits in some specified initial state. If the state we wish to encode is a qubit 
state |W) and the ancilla is initially in the state |00---0), then the result of the 
encoding is the codeword state: 


|Wene) = Uenc|w) |00 — 0). (10.4.17) 


As an example, we can define a quantum version of the 3-bit code, that encodes 
a 1-qubit state |w) by a codeword of three qubits. The encoding operation Uenc 
will take the qubit |W) along with two ancillary qubits initially in state |0)|0) 
and output a three-qubit encoded state |tenc), as shown in Figure 10.10. 


In a more formal way, a code C is defined as a subspace of a Hilbert space. An 
encoded qubit is a 2-dimensional subspace. 


A possible choice for the unitary Uene for a three-qubit code could be that which 
maps 
(0/0) + a1|1))|0)|0) ++ ao|0)|0)|0) + a4|1)]1)]1). (10.4.18) 
Sr 
ancilla 


Later, we will see that this three-qubit code can be used for correcting a certain 
restricted class of single-qubit errors. In the next section, we will see conditions 
that the encoding operator Uen. must satisfy for this to be possible. 


10.4.3. Error Recovery 


As we saw in Section 10.4.1, when a quantum system initially in a state |7) is 
exposed to errors through unwanted interaction with the envizonment. ene result 
In 
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is the noisy state with density matrix 


$7 e2$h) (wler" (10.4.19) 


uv 


where the Ee are operators that define the error model. The goal of error correc- 
tion is to find a way to invert the effect of the noise on the quantum information. 
Suppose we encode the state |) as described in Section 10.4.2, 


lPenc) = Uenc|)|00 - - - 0). (10.4.20) 


Errors transform |Wen-) to a state with density matrix 


>- EP enc) HenclE" (10.4.21) 


where we write ee to emphasize that the noise operators shag must be modified to 
correspond to the noise acting on a quantum codeword |wenc) which has higher 
dimension than the original quantum state |). 


Exercise 10.4.5 Suppose the states |y) are 1-qubit states. Consider the error model 
for independent bit flips given by the €@ defined in Equations (10.4.13) and (10.4.14). 
Suppose we encode each qubit of information by adding two ancillary qubits. Give error 
operators ee that describe the effect of this error model on this three-qubit system. 
Hint: There are 2° = 8 different Ee. 


In general, if we encode the quantum information, subject it to the noise and 
decode (using the inverse of the encoding operation, Uj.) we will not always 
recover original state |7)). That is, in some cases 


Uh (>: EP vc ele Venc 


FW). (10.4.22) 


Trance 


uv 


To recover the quantum information we need a quantum operation R®, called 
the recovery operation, that has the effect of undoing enough of the noise on the 
encoded state so that after decoding and tracing out the ancilla we are left with 
the original state |7), as shown in Figure 10.11. 


In general the recovery operation R® will be a superoperator defined in terms of 
a sum over some operators Ree To define an error-correcting recovery operation, 
we first need a notion of error which can be introduced through the notion of 
fidelity. For given code subject to noise described by Ee , we define the fidelity 
of a recovery operation R by 


F(R,C, £) = minyy) (b|puld) (10.4.23) 
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Ie) ERROR RECOVERY a i 
, t — 
i Uenc Ea ene Re L Pnoise 


Fig. 10.11 We want to define our code so that we can find a recovery operation R® 
such that applying R® to the state after decoding recovers the original state |), with 
the noise transferred to the ancilla. Note that in comparison with Figure 10.8, R® is 
the analogue of R° and E@ is the analogue of €°. 


where 


py = Dane | D> REUE (I> EPVencl*?)|00- + -0)(00- + 0] HIU4,.€" UR?" 
j i 

(10.4.24) 
and the corresponding worst-case error probability parameter p is 


p=1-F(R,C,&). (10.4.25) 


It is worth explaining the meaning of the above definition. Suppose some state 
|) is encoded into the state Uenc|t)|00...0), then subjected to some noise (cor- 
responding to the Ee operators), then subjected to a recovery operation (cor- 
responding to the ied operators), and then the ancilla workspace is discarded 
giving back some state py on the original Hilbert space. We are interested in 
how close p is to the original state |q)(q%|. The probability py = (W|py|w) can 
be regarded as the probability of no error on the encoded state. The quantity 
F(R,C,€) is the minimum of all such probabilities py, over all encoded states 
|). Thus the error probability parameter defined in Equation 10.4.25 gives us an 
upper bound on the probability with which a generic encoded state will end up 
at the wrong state (strictly speaking, its square root is the probability amplitude 
with which an error has occurred; this will be the more relevant quantity when 
consider ‘coherent errors’). 


A recovery operation R® is error correcting with respect to a set of error oper- 
ators if the error probability parameter p equals zero when R® is applied to a 
codeword that was exposed only to those error operators. This implies that 


TYanc dL RF (U. (= EP vce Um Re = Ke) (yw. 
j a 
(10.4.26) 


One way of thinking about the action of the recovery operation R® is that. it 
pushes all the noise into the ancilla, so that the errors are eliminated when 
the ancilla are traced out. The encoding operation can be seen as a way of 
transforming the errors so that their action on the encoded states is recoverable. 
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Inserting |tenc) = Uenc|y)|00---0) into the expression on the left hand side of 
Equation (10.4.26) (not showing the trace step), we have 


So Re (Us. (=: EP Uene|)|00- +0) (00- (Ue?) bx FM. 
j a 
(10.4.27) 


The above state can be rewritten as 


5 Re (= (Wh, EP Uenc) |w)]00-- +0) (00- +0 (u (Uae te) Re. 
J 


7 


(10.4.28) 


We can think of the operators (Ui? Venc) as representing transformed errors 


acting on |7)|00---0). The goal is to choose Uenc in such a way that the behaviour 
of these transformed errors allows us to find a recovery operation R® that gives 
back |w) (w)| ® Pnoise (notice that the noise will in general be a mixed state, so we 
have written the final state with a density matrix). 


For a code with two logical codewords, applying Ue, to the computational basis 
states |0) and |1) produces the codewords |Qenc) and |lenc), respectively. If the 
code is to be useful, there must exist a recovery operation R® satisfying Equation 
(10.4.26) for both |Qenc) and |lenc). It can be shown (by a lengthy calculation) 
that for such an R® to exist, we must have 


Wencle 6 Wittene) zs Cig tm (10.4.29) 


for 1,m € {0,1}, where the c;; are constants. Equation (10.4.29) gives the con- 
ditions for quantum error correction. It implies that after being subjected to 
errors, the different encoded states (1 A m) remain orthogonal. This condition is 
necessary as otherwise we would be unable to reliably determine which codeword 
a given corrupted state came from. 


Equation (10.4.29) also implies that the noise scales all the encoded states |lenc) 
by the same amount. This ensures that when encoded states in quantum super- 
position are exposed to errors, the relative coefficients are undisturbed. 


If Equation (10.4.29) is satisfied by some set of correctable errors {é2 }, then it 
is also satisfied for any linear combinations E se of errors from {E ts \. This means 
that if a set of errors is correctable for a given code, then any linear combination 
of those errors is correctable for the same code. Furthermore, the same recovery 
operation that corrects the errors ey will correct the errors {é~}. 


In particular, it is useful to note the following. Any single-qubit unitary operator 
can be written as a linear combination of the Pauli operators I, X,Y, Z. So if 
we can devise a quantum error-correcting code for which J,X,Y, and Z are 
correctable errors on a qubit, then any single-qubit unitary (with identity on 
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the remaining qubits) is a correctable error. This is a discretization of errors, 
and it implies that when we design quantum error-correcting codes, it suffices to 
consider errors from a finite set. 


Exercise 10.4.6 Prove that if the error operators te} satisfy Equation (10.4.29), 


then so do the error operators {ooh where Ee =p Cee for some constants c',. 


Exercise 10.4.7 Prove that if the recovery operator R® defined by Kraus operators 
{R2} corrects an error model described by the error operators {E>}, which satisfy 
Equation (10.4.29), then R® will also correct an error model described by the error 
operators {Eek where Eo =>, Cee for some constants c/,. 


Example 10.4.2 Recall from Section 4.2.1 the operator R2(@), which corresponds to 
a rotation about the x-axis of the Bloch sphere by mapping 


|0) + cos (4) |0) — isin ( 


) |1) — isin ( 


) (1) (10.4.30) 
) |0). (10.4.31) 


NID NID 
NID NID 


|1) + cos ( 


Consider the error model that randomly selects one qubit out of a block of three qubits 


and applies R,(6) to it (and does nothing to the other three qubits). Recalling from 
Section 4.2.1 that 

Re(0) = cos (£) I — isin (2) X (10.4.32) 
we see that this error model corresponds to the error model with Kraus operators 


Ei = Ja ( (cos (4) I — isin (4) X) eI® 
Eh = 4a(1@ (cos ($) I — isin (4) Xx) @ 1) 
€5 = Jz(1@ 1. (cos ($) I isin ($) X)) 


So we have expressed error operators in the error model as a linear combination of 


G&=I1e8IT@I, 
&=Xe TT, 
f= TORO. (10.4.33) 
€3=I1@1@X 


This implies that if there is a recovery procedure for correcting the errors €;, then 
there is a recover procedure for correcting an R,(0) error to at most one of the three 
qubits. 
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Example 10.4.3 In the previous example, we showed that the error operators of the 
given error model can be expressed as linear combinations of 1® 1 @/,X @®I1@I,1® 
X @®T,andJl @I® xX. 


Let us assume that there is an error recovery procedure Re (for simplicity, we will 
assume it is unitary, which means there is only one Kraus term) that will correct up 
to one bit flip on the three qubits. 


This means that, for any codeword |Wenc) = Uenc|t))|00), encoding a single qubit |) 
there exists a R® such that 


t t 
ReUsncE? [Penc) benclEP UencR® = |b)(] @ 145) (dil (10.4.34) 
for some normalized state vector |¢;), which means that (up to a global phase) we have 


R°UL EF [Wenc) = |)|b3). (10.4.35) 


Suppose the error operator €{, as expressed in the previous example in terms of the 
correctable operators {€;}, is applied to the codeword. Then it evolves to the state 


E%|Wene) benclE’L = cos? (2) ( QI® 1) |Penc) (Pene| ( ale 1) 
— sin? (8) (X @ 1B) |tenc) (onel (X @ I @ 1) 
+isin ($) cos () (1 1. 1) |Wenc) (enc| (X @1@ 1) 
—isin (8) cos ($) (X @1@1) fone) (Wenel(1@ 1 1). 
After we apply Ui, followed by R®, we get (using Equation 10.4.35) 


R2ULE'1|Wenc) (WenclEUencR® = cos? (2) |b) (ab Side 
— sin? ($) |) (|  |41) (1 
a onl) (W| @ |bo) (or 
—isin (3) cos (5) |b) (| ® |¢1) (bo 
= |w)(b] @ |6')(6"| (10.4.36) 


where |¢") = cos ($) |¢o) — isin ($) |¢1). 
Thus after tracing out the ancilla, we are left with |) (|. 


Given an error model corresponding to a specified set of error operators ed , de- 
signing a quantum error-correcting code reduces to finding an encoding operator 
Uene and a recovery operation R® so that Equation (10.4.26) is satisfied. 


Exercise 10.4.8 Consider again the case of single qubits subject to independent bit 
flip errors. Suppose we encode each qubit with a codeword of three qubits according to 
Equation (10.4.18). 
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(a) Simplify the error model obtained in Exercise 10.4.5 assuming that at most 1 bit 
flip occurs on each codeword. Give the corresponding error operators ES ; é ; E2 and 
SQ 
Es. 
(b) Show that the four error operators obtained above, together with the encoded states 
|Oenc) = |000) and |lenc) = |111), satisfy Equation (10.4.29). (This shows that there 


exists a recovery operation R®@ so that using the three-qubit code described in the next 
section we can correct single bit flip errors within a codeword). 


(c) Show that if we allow more than one bit flip within a codeword (so that we have 
all 8 of the €® obtained in Exercise 10.4.5), Equation (10.4.29) is no longer satisfied. 


10.5 Three- and Nine-Qubit Quantum Codes 
10.5.1 The Three-Qubit Code for Bit-Flip Errors 


The no-cloning theorem prevents us from implementing a quantum three-qubit 
repetition code that encodes a qubit by a codeword consisting of three copies of 
that qubit. However, the idea can be modified slightly giving a three-qubit code 
that can be used to correct bit flip errors. 


The error model we are initially interested in is the bit-flip channel as described 
in Section 10.4.1: 


p= PY] > ps = (1— py) (Y| + v XI) (|X. (10.5.1) 


The three-qubit bit-flip code is obtained by introducing ancillary qubits and 
encoding each logical qubit by a codeword of three physical qubits according to 
Equation (10.5.2). 


aig |0) + a1]1) + ap|000) + a1|100) + ag|000) + a, |111). (10.5.2) 


In other words, the encoding works by mapping the basis state |0) to |000), and 
mapping the basis state |1) to |111). We can think of this encoding operation 
as embedding the state into a 2-dimensional subspace of a larger 8-dimensional 
space. Note that this procedure is not a simple repetition rule. The encoding 
of the basis states |0) and |1) is achieved by simple repetition, but consider for 
example the encoding of a uniform superposition: 


75 (0) + |1)): J5 (000) + |100)) + 35 (000) + |111)) 
#5 (0) + [))°”. (10.5.3) 


A circuit that performs the encoding procedure for the three-qubit code is shown 
in Figure 10.12. 
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|) = a0|0) + ai|1) 


° 
|0) : xX : |Wene) = ap 000) + ay|111) 


Fig. 10.12 A circuit for performing the encoding given by Equation (10.4.18). 


Re 


1x 


Fig. 10.13 The recovery operation R® for the three-qubit bit flip code is the quantum 
Toffolli gate. Providing at most one bit flip error occurred on the codeword, the Toffoli 
gate will recover the original state |q), leaving some ‘noise’ in the ancillary qubits. 


In Exercise 10.4.8 (b), the objective was to prove that if at most one bit flip error 
occurs in a codeword, then there exists a recovery operation R® that works for 
the encoding given by Equation (10.5.2). This recovery operation R® is the 
quantum Toffoli (controlled-controlled-NOT) gate, as shown in Figure 10.13. 


Providing at most one bit flip error occurred in the codeword |enc), the Toffoli 
gate, after a decoding operation, which is the inverse of the encoding operation, 
will recover the original state |) in the first qubit, leaving some ‘noise’ in the 
ancillary qubits. 


Exercise 10.5.1 Show that if at most 1-qubit error occurs on a codeword for the 
3-qubit bit flip code, then, after decoding using the inverse of the encoding operation, 
the Toffoli gate will recover the original state |), transferring the ‘noise’ to the ancillary 
qubits. 


When the error is independent, there is some chance of having more than one bit 
flip operator acting on the encoded state. Exercise 10.4.8 (c) shows that when 
this happens the error is not in general correctable. After the independent errors 
act on the encoded state, the resulting state will be a linear combination of 
the encoded state with correctable errors applied to it and of the encoded state 
with uncorrectable errors applied to it. The component with correctable errors 
operators will be corrected by the recovery procedure, but the component with 
uncorrectable in general will not return to the original state. The worst-case error 
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probability parameter (or ‘error probability’) as defined in Equation 10.4.25 after 
error correction will be of order p? in analogy to the classical discussion at the 
end of Section 10.2. 


Exercise 10.5.2 Prove that the error operation p> Us ® Us ® UspUs ® uj ® ul, 
with sin?(@) = p has worst-case error probability parameter in O(p?). 


10.5.2. The Three-Qubit Code for Phase-Flip Errors 


Qubits can undergo errors other than bit flip (X) errors; they could also undergo 
phase flip (Z) errors. In the case where only phase errors are induced, Equation 
(10.4.8) reduces to 


2b) |B) 5|v) (@1|E1) ae B3|E3)) ae 52 |p) (@1|E1) me G3|E3)). (10.5.4) 


The above equation describes the evolution of the qubit when the amplitudes 
evolve either through an identity operator or a phase flip operator (Z). This 
behaviour can result from mis-calibration of single qubit gates (an under- or 
over-rotation on the Bloch sphere) leading to a coherent phase error, (when 
|E,) = e’®|E3) for some ¢) or more generally from an undesired interaction 
with neighbouring qubits or the environment (when |E,) 4 e’®|£3)). Both error 
models contain the operators J and Z and thus if we find an error correcting 
code for one set of operators, it will also be error correcting for the other one as 
discussed in Section 10.4.3. 


In the case where ((£1|G{ — (£3|93) ((1|E1) + 63|E3)) = 0 this evolution can 
be thought as a qubit that undergoes a Z error with probability p, and no error 
with probability 1 — p where 
2 
p = }||P:|E1) — 93|Es)|| (10.5.5) 
2 
1—p= ;|[GilE1) + 3|Es) || - (10.5.6) 


We will call this error model the phase-flip channel in analogy to the bit flip 
error model we have seen previously. 


There are no phase errors in classical digital information, but fortunately it 
is easy to transform a phase-flip error into a bit-flip error, which means we 
can adapt the three-qubit bit-flip code to correct phase-flip errors. Specifically, 
consider the Hadamard basis states 


|+) = J5 (10) +11), 
|-) = 45(I0) - |1)). (10.5.7) 


The effect of a phase flip is to take the state |+) to the state |—), and vice versa. 
So if we work in the Hadamard basis, phase flip errors are just like bit flip errors. 
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So we encode |0) as |+)|+)|+) and |1) as |—)|—)|—). According to this rule, a 
general 1-qubit state is encoded as: 


ag|0) + a1|1)  a|000) + a1|100) + ag|+++) + a1 | ). (10.5.8) 


The operations needed for encoding, error detection, and recovery are performed 
exactly as they were for the three-qubit bit-flip code, only now with respect to 
the {|+),|—) }-basis. 


Recall that the Hadamard gate performs a basis change from the computational 
basis to the Hadamard basis, and vice versa (since H is its own inverse). There- 
fore, we see that the encoding for the three-qubit phase-flip code is accomplished 
by the circuit shown in Figure 10.14. 


Just as phase flip error model is equivalent to the bit-flip error conjugated by 
Hadamard gates model, we can see that the phase-flip recovery and the bit- 
flip recovery operation are also the same up to a conjugation by Hadamard 
gates. 


It will be useful to introduce the notion of the ‘phase parity’ of a product of |+) 
and |—) states as the parity of the number of |—) factors in the product. Let 
parity ‘—1’ correspond to states with an odd number of |—)s, and let parity ‘+1’ 
correspond to an states with an even number of |—)s. 


Exercise 10.5.3 Give the unitary operator for error recovery for the three-qubit phase 
flip code. 


10.5.3. Quantum Error Correction Without Decoding 


In Section 10.3 we briefly discussed the need for an error correction scheme that 
corrects codewords directly, without decoding the state. We saw such a scheme 
that made use of an ancilla of bits, into which the error syndrome was computed. 
The recovery operation was controlled by this syndrome. In this section we recast 
the three-qubit quantum code in this framework. In general, quantum error- 
correcting codes that are used to implement fault-tolerant quantum computing 
(see Section 10.6) are usually formulated in this way. 


IW) ? ° A 
\0) —X iW 
|0) XH 


Fig. 10.14 Encoding circuit for the three-qubit phase flip code. 
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Compute syndrome _ Recover ; 
7 ERROR ’ ’ = | 
9 |000) + ai|111) |- £2 t xX > €0|000) + a1 |111) 
—— | e | xX J 
|0) 4X Xx ® ! O |p 
io) x Ux 4 b i pee 


Fig. 10.15 The recovery operation for the three-qubit bit flip code by computing the 
error syndrome into an ancilla, and then controlling the recovery operation by the 
syndrome. The hollow circles in the controlled gates in the circuit correspond to a 
0-control (i.e. conditioned on that control qubit being |0)). 


7 Z 


x H\-e— Ht 


Fig. 10.16 The CNOT gate is equivalent to a controlled-Z gate, interchanging the 
roles of the control and target qubits, and conjugating the new control qubit by the 
Hadamard. 


The recovery operation for the three-qubit bit-flip code by computing the error 
syndrome into an ancilla, and then controlling the recovery operation by the 
syndrome, is shown in Figure 10.15. 


As illustrated in Figure 10.16, the CNOT gate is equivalent to a controlled-Z gate, 
interchanging the roles of the control and target qubits, and conjugating the new 
control qubit by the Hadamard gate. Note that if in Figure 10.16 we initialize 
the second qubit to |0) and then measure the second qubit in the computational 
basis, this realizes a measurement of the Z-observable on the first qubit (recall 
Section 3.4, Example 3.4.1). The result of the measurement indicates whether 
the first qubit is in the eigenstate |0) of Z corresponding to eigenvalue +1, or 
the eigenstate |1) corresponding to eigenvalue —1. 


Exercise 10.5.4 Show the identity between the circuits depicted in Figure 10.16. Note 
that Z = HXH, and the controlled-Z operation is symmetric with respect to which 
qubit is the target and which is the control qubit. 


Instead of quantumly controlling the recovery operation on the syndrome as 
shown in Figure 10.15, we could perform a measurement of the syndrome and 
then classically control the recovery operation on the measurement result (recall 
Exercise 4.2.8), as illustrated in Figure 10.17. 


Since a CNOT gate is equivalent to a controlled-Z gate, then the parity mea- 
surements composed of CNOTs in Figure 10.15 can equivalently be realized by 
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Fig. 10.17 The recovery operation could also be performed by measuring the syn- 
drome in the ancilla qubits and classically controlling which correction operator to 
apply depending on the syndrome bits. 
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Fig. 10.18 An equivalent circuit for the computation of the syndrome for the three- 
qubit bit flip code. 


controlled-Z gates, as shown in Figure 10.18. This syndrome measurement is thus 
equivalent (recall Exercise 7.2.2 which shows a similar equivalence) to measuring 
the observables 


ZaZel, 


ee (10.5.9) 


Since these operators are tensor products of Pauli matrices, their eigenvectors 
have eigenvalues +1. The code, which consists of all states of the form a|000) + 
8\111), is the subspace of eigenvectors with eigenvalue +1. When this set of states 
undergoes any product of X-errors, the resulting states are still eigenvectors of 
products of Z-operators, but the eigenvalues are modified as follows: 


ZOZ8Il ZEI@Z 


I. @I® I(a|000) + A111) Al 44 
X ® I @ I(a|000) + B]111)) =a = (10.5.10) 
I @® X ® I(a|000) + 3111) =I +1 
I @I® X(a|000) + 8111) 44 24; 


For example, the eigenvalue of Z ® Z ®@ I on state I ® I ® X(a|000) + B]111)) is 
—1. 


There is a one-to-one correspondence between the eigenvalues and how the code 
is mapped under the errors. When we learn the parities, we know which error has 
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occurred and we can undo it using a recovery operation that, here, corresponds 
to the error operator itself. 


There is a short cut to evaluating the table of parities when the parity operators 
are tensor products of Pauli operators and the error operators are also tensor 
product of Pauli operators. In this case, the parity operators (ie. Z@®Z@I 
and Z @I@ Z) and the error operators either commute or anti-commute.? The 
commutation or anti-commutation relation corresponds to the parities +1 or —1 
we get when we measure the parity operator A on the state Blu) where |y) was a 
+1 eigenstate of A. For example, the bit flip error operator acting on the second 
qubit, 7 ® X @ J, anti-commutes with Z ® Z ®I but commutes with 7 @I® Z, 
and thus we obtain the parities in the third row of Equation (10.5.10). This is a 
short cut in the sense that we can compute the parities (equivalently, measure 
the parity operators) by simply computing whether the error operator and parity 
operator commute or anti-commute. 


Just as a bit parity measurement of 2 qubits corresponds to measuring the observ- 
able Z ® Z, we can see that evaluating the phase parity of 2 qubits corresponds 
to measuring the observable X @ X. 


In particular, the phase-flip error correcting code on three qubits can similarly be 
defined by the set of phase parity measurements corresponding to the observables 


Xaxeal, 
ee (10.5.11) 
which will have corresponding commutation and anti-commutation relations with 
the associated (product of Pauli operators) error operators. 


When the error operators are described by tensor products of Pauli operators 
(i.e. suffices that the Kraus operators of the error model are linear combinations 
of such error operators), it is possible to define a large class of quantum error- 
correcting codes as the subspace spanned by the eigenstates with eigenvalue +1 
of a set of operators that are generalizations of classical parities that we have 
encountered in the classical setting. The three-qubit code that we have seen 
indeed defines a subspace spanned by states of eigenvalue +1 of the operators 
Z@Z8lIand Z®1I®Z. These operators generate a group, called the stabilizer. 
Measuring the generators® of the stabilizer gives the syndromes. 


The stabilizer leads to a formalism based on the group-theoretic properties of 
the set formed from tensor products of Pauli operators (e.g. their commutation 
relations). When the error operators are also tensor products of Pauli operators, 
such as in the case here, it is possible to find the syndrome by learning how 
these generators commute or anticommute with each error operator. In other 


2Two operators A and B anti-commute if AB = —BA. 


3Recall that the generators of the stabilizer are products of Pauli operators, which are 
Hermitean and thus can be regarded as observables. 
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words, when a code corresponds to the +1 eigenspace of a stabilizer, it suffices 
to study the effect of the error operators on the generators of the stabilizer and 
not on the codewords themselves. This turns out to be simpler than looking at 
the encoding, error, and decoding procedures that we have seen. The stabilizer 
formalism is also useful for designing gates that have fault-tolerant properties. 


10.5.4 The Nine-Qubit Shor Code 


The three-qubit bit-flip and phase-flip codes can be combined to give a nine- 
qubit code which corrects bit flip or phase flip errors on one of the nine qubits. 
It also allows us to correct for a simultaneous bit and phase flip on the same 
qubit, as we explain in more detail below. These errors, with the identity error 
operator, provide a basis for a generic one-qubit operator. Thus, this code allows 
to correct for a generic one-qubit error. 


Encoding for the Shor code works in two stages. First each qubit is encoded as 
in the three-qubit phase-flip code: 

|0) +> |+++), 

|1) H+ |———). (10.5.12) 


Second, each of the three qubits in the phase-flip codeword are encoded in a set 
of triplets as in the three-qubit bit-flip code: 


|+) + Jz (|000) + |111)), 
|(000) — |111)). (10.5.13) 


Ly 
This results in codewords of nine qubits: 


|0) + 545 (000) + |111)) (|000) + |111)) (000) + 111), 
|1) + 45 (000) — |111)) (|000) — |111)) (000) — 111). (10.5.14) 


Suppose we subject these codewords to both the bit-flip and the phase-flip 
channels, with the restriction that there is at most one bit flip and at most 
one phase flip. We can view the combined effect as a single channel, whose effect 
is a bit flip with some amplitude, and a phase flip with some other amplitude, 
and a combination of both. 


In a way analogous to the bit-flip channel seen previously, we can see that bit flip 
(X operator) on any of the nine qubits will move the code described by 10.5.14 
to an orthogonal subspace. A phase flip (Z operator) on any of the qubit will 
also move the code to an orthogonal subspace through a sign change between 
the triplets of qubits. A peculiarity of this code not encountered in the three-bit 
codes is that applying the Z error on any member of the triplet will move the 
code to the same subspace. This will not prevent error correction as we only need 
to know where the code has moved to undo the error, as we show in Example 
10.5.1. 
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A product of X and Z will give rise to a Y error which also moves the code 
to another orthogonal subspace. This shows that the error correction conditions 
10.1.1 are satisfied and that an error-correcting recovery operation can be found 
(as illustrated in Example 10.5.1). 


Note that the syndrome for the bit-flip code measures parities of bits values of 
a subset of the qubits, and the syndrome for the phase-flip code measures the 
phase parities of a subset of the qubits. 


We can use a generalization of the syndromes for the bit-flip and phase-flip codes 
from the previous section to compare the bit or phase values of various qubits 
and make a table relating them to the corresponding error. A way to do this is to 
use the stabilizer formalism introduced in the previous subsection. We see that 
the bit-flip errors will be identified by two parities for each triplet of the qubits. 
The parity operators, which are also just sometimes referred to as ‘parities’ in 
this context, are given by 


ZOZOFTIOI&OI®OI®ISI@I, 
ZQ@IOZQLl&HI8I8ISI8I, 
IOlTOIOZOZOIEI&SI8I, 
IOTOIOZOHI@OZEI&I81, 
IOTOIOIOI®I®LZEOZ01, 
IQ®IOI@I®OI®I@LZQI@Z. 


(10.5.15) 


Measuring these operators through a generalization of Figure 10.18 will reveal 
which qubit, if any, has undergone a bit flip. 


The phase-flip errors will be identified by the parities of the signs that appear 
in each triplet. Note that the logical bit encoded in states |000) + |111) can be 
extracted by measuring the eigenvalue of the X ®X @X operator on the encoded 
state. Thus the parity of the first two logical bits encoded by |000) + |111) can 
be extracted by measuring the observable X ® X ® X ® X ® X ®X on the first 
six qubits. Furthermore, note that applying any combination of X errors to the 
states |000) + |111) does not change the phase parity of those states. Thus the 
relevant phase-flip errors on the nine-qubit state can be determined by measuring 
the parities 


XOXOXOX@X@XOI@ISI, 


T@IQI@®X@X@X@X@BX@OX. (10.5.16) 


Exercise 10.5.5 Make a table analogous to the one in Equation 10.5.10 that calculates 
the parities in Equation 10.5.15 for bit flip errors acting each qubit. Do the same for the 
parities in Equation 10.5.16 for phase flip errors. The recovery operation becomes the 
error operators themselves (as they are their own inverse). Which operator to apply is 
conditioned on the values of the parities. 
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These two parities will reveal which qubit, if any, has undergone a phase flip. 
A ZX =i7Y error will be revealed by a obtaining ‘—1’ parities when measuring 
operators in each of Equations 10.5.15 and 10.5.16 


The Shor code can be defined as the 2-dimensional subspace spanned by eigen- 
vectors with +1 eigenvalue of the eight operators in Equations (10.5.15) and 
(10.5.16). 


Example 10.5.1 The nine-qubit code will, for example, correct a Y error on the first 
qubit of the encoded state 


a(|000) + |111)) ({000) + |111)) (|000) + |111)), 
+3(|000) — |111)) (|000) — |111)) (|000) — |111)). 


Note if a Y error occurs to this state, it will transform to (we can factor out and ignore 
the global phase of 7) the state 


(|100) — |011)) ({000) + |111)) (|000) + |111)), 
+,3(|100) + |011)) (|000) — |111)) ({000) — |111)). 


The parity measurement corresponding to the operator 
ZOZQIOI@IOI®OIOISI 


will give us the outcome ‘—1’ indicating that the first two bits do not agree. The parity 
measurement corresponding to the operator 


ZOEIOZQI&GI&OI&OI@I&I 


will also give us the outcome ‘—1’ indicated that the first and third bits do not agree. 
Therefore, we know (assuming there was at most one bit flip on the first three qubits) 
that there was a bit flip on the first qubit. 


The remaining four bit parity measurements will all give values of ‘+1’, giving no 
indication of any other bit flips. 


The phase parity measurement corresponding to the operator 
XOX@OX@OXOXOXBOIGICI 


would give an outcome of ‘—1’ indicating that (assuming there was at most one phase 
flip on the nine qubits), there was a phase flip somewhere on one of the first six qubits. 


The phase parity measurement corresponding to the operator 
T@I@I@XOXOXOSXOXOX 


would give an outcome of +1 indicating that there was no phase flip on the last six 
qubits. Thus the phase flip must have occurred on one of the first three qubits. 


Thus the 8 parity measurements will tell us that there was an X error on the first qubit 
and a Z error on one of the first three qubits. Note that the overall effect of a Z error 


TEAM LinG 


THREE- AND NINE-QUBIT QUANTUM CODES 233 


is the same regardless of which of the first three qubits it acted on. Therefore, we can 
correct the codeword by applying an X gate on the first qubit and a Z gate on any 
one of the first three qubits. 


This peculiar feature of not knowing or caring which qubit was affected by a Z error 
and which qubit should be corrected by a Z gate is due to a property of this code called 
degeneracy. A code is degenerate if more than one error operator have the same effect 
on the codewords. 


If we assume the Z error occurred on the first qubit, then we know that the first qubit 
experience both an X and a Z error, and thus the effective error operator on the first 
qubit was a Y gate (note that up to global phase, Y, XZ, and ZX are all equal). 


Exercise 10.5.6 The error recovery operations for the bit flip and phase flip codes 
can be adapted and combined to give a recovery operation for the nine-qubit Shor code. 


Give the error recovery operation for the nine-qubit code. 


The above Example 10.5.1 conveniently only had one error operator acting on 
the codeword. In general, as we saw in previous examples, if the error operation is 
described by a combination of correctable Pauli errors, then the syndrome mea- 
surement will ‘collapse’ the system into the component of the state corresponding 
to the encoded state affected by the Pauli error operators with that particular 
syndrome. In other words, as we discussed at the end of Section 10.4.3, if we can 
correct some discrete set of errors, we will also be able to correct a generic linear 
combination of these errors due to the linearity of quantum mechanics. Since 
the Shor code corrects all of the four Pauli errors (acting on one qubit, with the 
identity acting on the rest), it will also correct any linear combination of those 
four. Therefore, the Shor code will correct an arbitrary error on a single qubit. 
This basic idea is a vital aspect of why quantum error correction works, despite 
the apparently daunting task of having to correct for a continuum of possible 
quantum errors. 


There are some quantum error correcting codes that are more efficient than 
Shor’s code which uses 9 qubits to encode 1 qubit of quantum information and 
protects for one (but only one) generic single-qubit error within each codeword. 
Steane has discovered a code which uses only 7 qubits as the subspace with 
eigenvalue +1 of the operators: 


ZOZOLZeQLZeElIeI@I, 
ZOZQTI@I@LZELZE6l1, 
ZOIQ@LZQOI@LZElI@Z, 
XOXOXOXOIGISI, 
XO@XOIGI@X@OXBI, 
XOI@XOI@X@I@X. 


(10.5.17) 
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There is an even more compact code which uses only 5 qubits and is defined 
through the operators: 


X@ZQLZQOXeTI, 
T@X@ZQOZOQOX, 
X@®I@®X@ZQZ, (10.5.18) 
Z@OXBTI@X@Z, 
Z@®ZQX@I@QX. 


It is possible to show that it is not possible to use fewer than 5 qubits to protect 
against a generic single qubit error. 


10.6 Fault-Tolerant Quantum Computation 


Consider a circuit having S gates. If individual gates in the circuit introduce 
incoherent errors independently with probability p, then the expected number of 
errors at the output of the circuit is Sip. The probability of there being at least 
one error in the output of the circuit is at most Sp (Exercise 10.6.1). If the errors 
were all coherent, this probability would be $?p. In what follows, we will assume 
for convenience that errors are incoherent, but a very similar analysis can be 
done taking into account the possibility of coherent errors by keeping track of 
the probability amplitude of errors, instead of the probabilities. 


Exercise 10.6.1 For a circuit having S gates, if individual gates introduce incoherent 
errors independently with some error probability p (recall Definition 10.4.25), show 
that the probability of there being at least one error in the output of the circuit is at 
most S'p. Also show that if the errors are fully coherent the probability is at most S?p. 


Suppose we want to use a quantum error-correcting code to protect our quantum 
information from errors as it propagates through the circuit (for some quantum 
algorithm or protocol). A first approach would be to encode the information at 
the beginning of the circuit, and then just before each gate, decode the state, 
apply the gate, and then re-encode the state. Of course, between the decoding 
and re-encoding, the gate still may produce an error with probability p. This 
approach only protects the information from errors that occur between gates. 
As we mentioned in Section 10.3, a better approach is to design gates that act 
directly on encoded states. Furthermore, we want to be able to do this fault- 
tolerantly. This means we want to implement the gates on encoded states in 
such a way that if one (unencoded) gate in the implementation produces an 
error, the quantum information is not lost. For a given error-correcting code, 
a fault-tolerant implementation of a gate would restrict the evolution so that 
correctable errors do not propagate leading to uncorrectable errors. 
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xX 


Fig. 10.19 A non-fault-tolerant implementation of CNOT for the three-qubit code. 


Definition 10.6.1 Suppose individual quantum gates produce errors in their 
output independently with probability p. For a given error-correcting code that 
corrects one error, an implementation of a gate acting directly on encoded states 
is considered to be fault-tolerant if the probability that the implementation in- 
troduces an unrecoverable error is bounded above by cp” for some constant c. 


Note that the upper bound cp? on the error probability for a fault-tolerant gate 
is an improvement over the error probability p for the physical gates as long as 
p< i, This condition is called the threshold condition and the value 4 is called 
the threshold error probability. 


Suppose we are given an error-correcting code capable of correcting an arbitrary 
error on a single qubits within a codeword. Then an implementation of a gate 
acting directly on codewords is considered to be fault-tolerant if the probability 
that the implementation introduces two or more errors on the encoded output is 
cp’ for some constant c. As an example, consider the 3-qubit code, and suppose 
you want to implement an encoded version of the CNOT gate: 


|000)|000) ++ |000)|000) 

\000)|111) ++ |000)|111) 
CNOT ene * 

\111)|000) ++ |111)|111) 

J111)|111) ++ |111)|000). 


One way of implementing the encoded CNOT using 3 un-encoded-CNOT gates is 
shown in Figure 10.19. Note the gate acts on 2 encoded blocks of three qubits 
each. 


The implementation shown in Figure 10.19 is not fault-tolerant. Suppose an error 
occurs in the first (un-encoded) CNOT gate in the implementation, and that the 
error occurs on the control bit for this gate. Then, it is easy to see that the 
resulting error will propagate to the second and third qubits of the second block, 
by the next two (un-encoded) CNOT gates in the implementation. So a single 
physical gate error, which occurs with probability p, results in multiple errors 
in the output of the encoded CNOT. The idea behind fault-tolerance is to design 
gates that avoid such bad error propagation. 
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Fig. 10.20 A fault-tolerant implementation of CNOT for the three-qubit code. 
error error error error 
| 0) enc correct Apr correct correct Apr correct 
| 0) error error FT error error 
ene correct correct correct correct 


Fig. 10.21 Each encoded gate introduces an unrecoverable error with probability cp” 
for some constant c. The expected number of errors at the output of the circuit is Scp?, 
and so the probability of an error at the output of the circuit is at most Scp?. 


An example of a fault-tolerant implementation of CNOT is shown in Figure 10.20. 


To implement a circuit fault-tolerantly, we should choose a quantum code suit- 
able for the error model (e.g. the 3-qubit code as shown in the example, or per- 
haps the 7-qubit Steane code), and then design fault-tolerant implementations, 
appropriate for that code, of a universal set of gates. 


For a gate U, denote its fault-tolerant implementation by Upp. Suppose we im- 
plement the circuit of Figure 10.19 using fault-tolerant gates for the 3-qubit code. 
Also, suppose we do error correction between every pair of gates in the circuit. 
Then, the resulting circuit would look like Figure 10.21. Suppose that we can 
do encoding and error correction perfectly (i.e. assume there is no chance of 
a gate producing an error during the encoding or error correction procedures). 
The 3-qubit code corrects bit flip errors on 1 qubit, and we have implemented 
our encoded gates in a fault-tolerant manner. So the only way that the error 
correction could fail is, if at least two bit flip errors occurred in the fault-tolerant 
implementation of the gate just before the error correction. This happens with 
probability 3p?(1—p). So the probability of error (after error correction) for each 
fault-tolerant gate is now less than cp”, for c = 2 (since p? < p*). Note that the 
threshold condition for c= 2 is p< s, which is a condition that we have already 
seen to be necessary for the three-qubit code to be effective. Consider a circuit 
containing S' such fault-tolerant gates. The probability of an unrecoverable error 
in the (encoded) output of the fault-tolerant circuit is at most cS'p?. 
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The bound cS'p? for the error probability of the fault-tolerant circuit is an im- 
provement over the bound Sp for the error probability of the original circuit as 
long as the threshold condition p < + is satisified. 


Of course, we cannot assume that the (un-encoded) gates used in the error cor- 
rection and encoding procedures are themselves immune to the errors. These 
gates may also introduce errors with probability p. So we would like to devise a 
way to perform these procedures in such a way that the probability of error is at 
most cp? for some constant c. Fortunately, there are techniques for doing this. 
Recall that for stabilizer codes, error correction can be achieved by performing 
a measurement of the stabilizer generators. There are techniques for performing 
such measurements fault-tolerantly (i.e. in such a way that the probability of 
error is cp? for some constant c). 


In summary, the plan of fault-tolerant quantum computing is as follows. We 
assume that our individual (un-encoded) gates introduce errors with probability 
p. If we do not use error correction, the probability of an error at the output of 
a circuit with S gates is at most Sp. To implement the circuit fault-tolerantly, 
we first choose a suitable quantum code and then devise implementations for: 


1. a fault-tolerant universal set of gates. This is a set of gates implemented to 
act directly on encoded states, such that the probability of an unrecoverable 
error in the encoded output is at most cp? for some constant c. 


2. a fault-tolerant measurement procedure. This is a procedure for performing 
measurements such that that the probability the measurement introduces 
an error is at most cp” for some constant c. Notice that if we have chosen a 
stabilizer code, then a fault-tolerant method for performing measurements 
of stabilizer generators will give us a fault-tolerant technique for perform- 
ing error correction. Fault-tolerant measurements also provide a means to 
prepare the initial state for the computation fault-tolerantly. 


Given a circuit with S gates, if we encode the qubits in the circuit with a suitable 
quantum error-correcting code, and then replace the gates and measurements in 
the given circuit with fault-tolerant implementations, the probability of an error 
in the output of the circuit is at most Scp? for some constant c. This is an 
improvement over the bound S'‘p for the probability that the original circuit 
produces an error, as long as p < pin = + 


=e 
The error probability can be reduced even further (in fact, arbitrarily low) by 
concatenating quantum error-correcting codes to obtain new, larger codes. 


10.6.1 Concatenation of Codes and the Threshold Theorem 


For a circuit with S gates, where individual gate errors occur independently with 
probability p, the techniques described above can be used to produce an encoded 
version of the circuit whose overall probability of error is at most cS'p*, for some 
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constant c. This is an improvement, as long as p is below the threshold value 
Pth = 4. In this section we show how codes can be combined, or concatenated, 
to get even better improvement. Using this idea, we get a bound on the number 
of gates required to implement a circuit if we require the error be reduced to at 
most ¢. We find that the size of the circuit grows polynomially with loge. It is 
an important result called the threshold theorem. 


The idea of concatenating quantum codes is quite simple. In a first-level encoding, 
we encode each qubit using an appropriate code. Then, for each of the codewords 
we encode each of the qubits in the codeword again, using the same code. This 
is called the second-level encoding. Note that after two levels of encoding using 
an n-qubit code, each qubit is ultimately encoded by n? qubits. Concatenation 
is illustrated in Figure 10.22. This is a good strategy as long as the error model 
at each encoding level has the same form, that is, the same Kraus operators with 
possibly different amplitude. 


Suppose we use a two-level encoding, and individual errors occur at the lowest 
level (on a physical qubit) with probability p. Through one level of encoding, 
the probability for unrecoverable errors on fault-tolerant versions of the gates at 
the middle layer is reduced to cp” for some constant c. Then the second level of 
encoding reduces the probability of unrecoverable errors on fault-tolerant gates 
at the top layer to c(ep?)? = c%p*. So concatenation improves the error rate 
exponentially as long as p < 4. If we use k levels of encoding, then the probability 


; 
of an error at the highest level is reduced to er The number of physical gates 


oy 
1) of 
oy + 
o£ 
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ot 
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Fig. 10.22 Concatenation of error-correcting codes. 
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required to implement each fault-tolerant gate (for & levels of concatenation) is 
d® for some constant d. We seek to obtain a bound on this number d*, to show 
that the error rate decreases faster than the size of the circuit grows. 


Suppose that we wish to give a fault-tolerant implementation of a quantum 
circuit having S gates and we wish to make the overall error probability for the 
circuit less than ¢. To do so, the fault-tolerant implementation of each gate must 
be made to have an error probability less than 3. Using the observations about 
concatenation, we must concatenate our codes a number of times k such that 


€ 

.<eerene 

CG» Fes 

Provided that p is below the threshold i, such a k can be found. To find a bound 
on d*, begin with (10.6.1), and take the logarithm of both sides: 


(10.6.1) 


(10.6.2) 


Now using the fact that 2 = d!/1!°824 we get: 


logs d 


<0 (in (5), nee 


for some positive constant m > 1. Therefore, fault-tolerant circuit consisting of 
S' gates concatenated to k levels has its size (number of gates) bounded by 


Sd* =O (s (108 (=))) (10.6.4) 


gates. Summarizing, we have the following threshold theorem for quantum com- 
putation. 


Theorem 10.6.2 A quantum circuit containing S gates may be simulated with 
a probability of error at most € using 


o(o(oe(2)) os 


gates on hardware whose components introduce errors with probability p, pro- 
vided p is below some constant threshold, p < pip, and given reasonable assump- 
tions about the noise in the underlying hardware. 


The threshold theorem tells us that, in principle, we will be able to construct 
devices to perform arbitrarily long quantum computations using a polynomial 
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amount of resources, so long as we can build components such that the per-gate 
error is below a fixed threshold value. In other words, noise and imprecision of 
physical devices should not pose a fundamental obstacle to realizing large-scale 
quantum computers. This shows that the model of quantum information process- 
ing is robust and corroborates the suggestion that quantum information is more 
powerful than its classical counterpart. Although the threshold value calculated 
today is demanding from the experimental point of view, by designing better 
quantum error correcting codes, the numerical value of the threshold continues 
to be improved. The techniques and methods for quantum error correction also 
provide guides and requirements for the physical implementation of quantum 
information-processing devices. The theorem has given confidence that they can 
be built. 
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A.1_ Tools for Analysing Probabilistic Algorithms 


Markov’s inequality is a simple but powerful tool in probability theory. We will 
state it here in the case of discrete random variables, but it has a straightforward 
continuous analogue. 


A discrete random variable X is a variable whose values come from a finite or 
countable subset S' of the real numbers and that correspond to the outcome of 
some random event. 


For example, if we consider a random coin flip, we can let X = 0 if the coin 
comes up ‘heads’ and X = 1 if the coin comes up ‘tails’. 


As another example, we could toss a coin n times and let X equal the number 
of times the coin comes up ‘heads’. 


The expected value of a random variable X is 


E(X) = $0 @Pr(X =2) 


res 


which we will also denote by px. 


Theorem A.1.1 (Markov’s Inequality) Let X be a discrete random variable 
that takes on non-negative values. Then 


Pr(X 2 eux)) < (A.1.1) 


2 


The proof follows from the simple observation that if with probability at least 
p, X will be greater than or equal to some threshold value t, then the expected 
value of X must be at least pt. 


Proof Let Y be the random variable satisfying Y = 0 if 0 < X < cE(X) and 
Y = cE(X) if X > cB(X). Thus Pr(Y = 1) = Pr(X > cB(X)). Since X > Y, 
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then 


and the result follows. 


Example A.1.2 We can use Markov’s Inequality to show how to turn a randomized 
algorithm A that correctly solves a problem with some expected running time at most 
T into a zero-error algorithm with bounded running time and bounded probability of 
outputting the answer. 


Let X be a random variable corresponding to the running time of A on a particular in- 
put, and suppose we know the expected running time is at most T. Markov’s Inequality 
implies that for any constant c, the probability that the running time of the algorithm 
A exceeds cE(X) is at most 4. Thus, if we know the expected running time of A, we 
can derive an algorithm with bounded running time by simply running A, and if does 
not find the answer within time 37, then stop and output ‘FAIL’. With probability at 
least 3 the modified algorithm will have successfully solved the problem. 


Markov’s inequality can be used to derive more powerful inequalities including 
Chebyshev’s Inequality and Chernoff’s Inequality. 


Define a new random variable Y = (X — px)?. Let ox = WE(Y). Applying 
Markov’s inequality to the random variable Y gives Chebyshev’s Inequality: 
1 
Pr||X — px| > cox] < a 
We can get stronger bounds when the random variable X is the sum of several 
independent random variables with outcomes 0 or 1. 


Let X1, X2,..., X» be random variables corresponding to the result of n inde- 
pendent coin-tosses with outcomes 0 or 1, where Pr[X; = 1] = p;. The random 
variables X; are also known as ‘Poisson’ trials. If the p; are all equal, they are 
known as ‘Bernoulli’ trials. 


Let X = )Yy_, Xi, and wx = E(X) = Vo, pi. 


By applying the Markov Inequality to the random variable Y = e°*, for an 
appropriately chosen positive real value c, we can derive what are known as 
Chernoff bounds. 


For example, one can bound the probability that X is much less than its expected 


value: 


Theorem A.1.3 For any real value 6,0 <6 <1, we have 


wx 6? 


Pr[X < (1—6)ux] <e7"~™ 
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One can also bound the probability that X is much greater than its expected 
value: 


Theorem A.1.4 For any real value 6 > 0, we have 


eo Mx 
Pr[X > (1+ 6)px] < (asm) : 


Example A.1.5 One application of the Chernoff bound is to amplify the success 
probability of a bounded-error algorithm. Suppose we have a bounded-error algorithm 
for a decision problem that outputs the correct answer with probability 4 + 2, where 
0<P<1. 


If we repeat the algorithm n independent times (with the same input), and output the 
majority answer, then the probability of error reduces to y” for some constant +. 


Let X; = 1 if the ith run of the algorithm outputs the correct answer, and let 
X=, Xi. 
Then E(X) = 8 + 38. 


Letting 6 = wa we get 


n __np? 
Pr[x < 5! <e te) =", 
B? 
where y=e 4048), 


This means that if we would like the majority answer to be the correct value with 
probability at least 1 — €, it suffices to repeat n times where n > 4it? log 2. 


A.2 Solving the Discrete Logarithm Problem When the Order 
of a Is Composite 


There are several methods for reducing the problem of finding the discrete log- 
arithm of b to the base a where a has composite order r = r1r2...Tn to finding 
several discrete logarithms to some other bases a; with order rj. 


One method requires that the r; be pairwise coprime. Thus if we want to reduce 
the discrete logarithm problem to a series of discrete logarithm problems in 
groups of prime order (and not just prime-power order), this method (which 
uses the Chinese Remainder Theorem) will not suffice in general. 


So we will sketch some other methods that do not require that the r; are pairwise 
coprime. The first such method requires a factorization of r into its prime factors. 
In light of the efficient quantum algorithm for factoring integers, this is not an 
unreasonable assumption. The last two methods, which we sketch more briefly, 
do not assume we have a prime factorization of r. 
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Assuming a Prime Factorization of r 


For simplicity, we will give the proof for the case that r = rir, since the method 
generalizes in a straightforward way. 


Theorem A.2.1 Consider an element a with order r = rj r2, for integers 
ry >1,r2 > 1. 


The logarithm of any element b to the base a can be computed by evaluating 
one discrete logarithm with respect to the base a, = a™ (which has order rz) 
and one discrete logarithm with respect to the base ag = a’ (which has order 
r,), and O(log? r) other group operations. 


Proof Suppose b = a* and a has order r = r,r2. Note that for each k satisfying 
0<k <r there are unique integers c,, co satisfying 0 < cy < r2,0 < co < r1 such 
that k = cere + cy. Let by = 6" and a; = a™. Note that this means b; = a}’, 
where the order of a; is rg. Thus by computing the discrete logarithm of b; to 
the base a,, we obtain c,. Once we know c,, we can compute by = ba~%! = a™@, 
Let az = a". Note that ag has order r; and that bz = a5?. Thus we can find cp 
by computing a logarithm to the base ag. From c; and cg we can easily compute 
k. 


Corollary A.2.2 Consider an element a with order r. Let r = p\p2...pp be 
the factorization of r into primes (the p; are not necessarily distinct). For 
i1=1,2,...,k, define a; = a?:. Note that a; has order p;. 


The logarithm of any element b to the base a can be computed by evaluating k 
discrete logarithms with respect to the bases a,,a2,..., az, and O(log” r) other 
group operations. 


No Assumption of a Prime Factorization of r. Method 1. 


The basic idea behind this method to simply run the discrete logarithm algo- 
rithm and not worry about r not being prime, and just proceed as usual. Recall 
that with high probability! the algorithm will sample a pair of integers k and 
kt mod r, where ¢ is the logarithm of b to the base a. One of three things will 
happen: 


1. we will get lucky and the sampled k will be coprime with r, and we can 
directly find t = (k~! mod r)(kt mod r) mod r. 

2. we will be somewhat unlucky, and k will have a non-trivial common factor 
d= GCD(k,r) with r. In this case, we will be able to split r = r,d. We will 
also be able to determine t mod rj, and reduce the problem to a discrete 
logarithm problem in a group of order d. We elaborate on this possibility 
below. 


lif QFT, and QFT;! are used, the probability is 1. 
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3. we will be very unlucky and sample k = 0. This only happens with proba- 
bility 1 — 1, so we can simply keep trying until we get a non-zero k.? 


In the case that d = GCD(k,r) > 1, we know that r = rid, k = kid, and 
kt = k,dt mod r for some integers r;,k,. We can compute the value of t; = 
t mod r; by computing (i mod r;)(kit mod r;) mod 71. Then we know that 
t = tor; + t1 for some non-negative integer tg < d. If we define b; = 6” and 
a, = a" then we can see that b, = an and a, has order d. We can then apply 
the discrete logarithm algorithm to find tg mod d or tg modulo some non-trivial 
factor of d. The expected number of recursive applications of the generalized 
discrete logarithm algorithm is at most O(log r). 


No Assumption of a Prime Factorization of r. Method 2. 


If r is not prime, we can proceed with the general analysis given in Section 7.5 
for the Hidden Subgroup Problem. This method consists of repeating the dis- 
crete logarithm algorithm O(logr) times to generate pairs (kit, ki), (kat, ke)... 
(kmt, km). We then solve the linear system 


Kmt Kim 


With high probability the solution space will be the 1-dimensional vector space 
spanned by 


A.3_ How Many Random Samples Are Needed to Generate 
a Group? 


Consider any group G of order N = p}''p? ... p/'', where the p; are prime and 


Ny > 0. 
Let n = 975 7;. 


Suppose we have a means for sampling elements from G independently and 
uniformly at random. How many samples do we need so that with probability 
at least 2 the sampled elements generate G? 


A similar argument as in Exercise 6.5.3 shows that the expected number of 
uniformly random samples from G that are needed in order to generate G' is less 
than n+ 1. 


2 


Note that Exercise 8.2.2 shows how to eliminate this third possibility using Amplitude 
Amplification. 
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Thus, 3n +3 samples from G suffice in order to generate G with probability at 
least 2. 
3 


However, much fewer samples are actually necessary in order to generate G with 
high probability. Upper bounds of n + O(1) could be shown using Chernoff 
bound methods (Appendix A.1). 


However, we will give an alternative proof in the case that G is the additive 
Abelian group G = Z?) (in which case, we can treat it as vector space over Zo, 
and avoid group theory language), as is needed for analysing Simon’s algorithm. 
In general, it can be shown that the number of samples needed for a group G of 
order N = pj*p5?... pj with n = 7, nj; is no more than is needed in the case 
of G= ZY. 


Theorem A.3.1 Let t;,t2,... be asequence of elements selected independently 
and uniformly at random from a subspace H < Z), where |H| = 2™. 


Then the probability that (t1,t2,..., tm44) generates H is at least 2. 
Proof Let S; = (t1,t2,...,t;) for 7 > 1, and Sp = {0}. 

With probability 1— 55 =1- sh, 
this is the case, then with probability at least 1— oh = 1—sAR we have t2 ¢ Si, 


we have t; ¢ Sp and thus |S,| = 2. Assuming 


and thus |S2| = 4. And so on, so that with probability at least 1 — j we have 


tm—1 ¢ Sm—2 and |Sin—1| = 2”, and finally with probability at least 1— 4 


we have tm ¢ Sm, and so |S,,| = 2; since S$, is subspace of H (which has size 
2”), then S,, = H. 


Note that? 


1 1 1 1 1 
(1 a) (1 ma) (2 a) >1 2357} ae 


This means that 


and thus 


0-5) 0-s&)-(0-$) 0-9) >} 


Note that this means that the probability that we get ‘lucky’ and the first m 
samples t1,t2,..., tm from H are independent (and thus generate all of H) is 
at least i However, we would like to boost this probability to be greater than 


3° 


3This follows by inductively applying the fact that for non-negative real values 11, x2, the 
following always holds (1 — 21)(1— 22) >1—21—22. 
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(A) (-eh) (4) 


so that with probability at least z the first m— 3 samples will be independent, 
and thus generate a subgroup S;m—3 of H of size 2-3. 


Note that 


The probability that the next two samples t,,_2 and t,,_, are both in S,,_3 is 
(2) = oan thus the probability that S,,_1 is strictly greater than S,,—3 is at 
least 1 — 4. In this case, for convenience “ let S/,_; be a subgroup of size 2™~? 
satisfying S,-3 C S!,_, C Sim_1. In this case, the probability that tm,tm41 are 


both in $’,_, is Gy = im and thus the probability that $,,+1 is strictly greater 
than S/,_, is at least 1 — z. 


In this case, again for convenience, let S/,,,, be a subgroup of size 2™—! satisfying 
Sm—1 © S41 S Sm41- 

Lastly, the probability that tm+2,tm4+3,tm44 are all in S/,,, is (5)? = 3, and 
thus the probability that S,,+43 is strictly greater than S7,., is at least 1 — z. In 
this case, Sim+44 must have at least 2” elements, and since it is a subspace of H 
(which only has 2” elements), then S,,44 = H. 


The probability of this occurring is at least 
7 638 #15 #7. 2 
x x . 


A.4_ Finding r Given § for Random & 


Theorem A.4.1 Suppose the integers k,,k2 are selected independently and 
uniformly at random from {0,1,...,7 — 1}. Let r1,7r2,c1,c2 be integers sat- 
isfying GCD(ri,c1) = GCD(re,c2) = 1 and © = rr and Ko = 2. Then 
Pr(LCM(ri,r2) =r) > © 


n° 


Proof Since r is a common multiple of r; and rz, we must have the least 
common multiple LCM(r1,r2) divides r. Thus to prove r = LCM(ri,7r2), it 
suffices to show that r|LCM(ri, r2). 


For convenience, note that we can equivalently assume k,, kg were selected in- 
dependently and uniformly at random from {1,2,..., 7} (since whether k; = 0 
or r, we always get r; = 1). Note that ry = GCDGA) and rg = GODG Es)" 
If GCD(r,k1) and GCD(r,k2) are coprime, then whichever factors were ‘re- 
moved’ from r to produce r; will remain in rz and vice versa. In this case, r will 
divide LCM(r,,r2), which implies that r = LCM(r,,r2). The probability that 
GCD(r,k1) and GCD(r, kz) are coprime is [J,,,.(1 — aes where the product is 


4This might seem awkward, but it makes the analysis easier. 
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over the prime factors of r (without repeating multiple factors). This probability 


is strictly larger than ict - or)s where the product is over all primes p. It 
can be shown that this series equals the reciprocal of the Riemann zeta function 


evaluated at the integer 2, ¢(2) = 7, s, which is known to equal = 


A.5 Adversary Method Lemma 


Here we prove the following lemma, based on definitions given in Section 9.7. 
Recall that for 7 € {0,1,..., T7}, we define 


1 ary 
Wi = S| (HRY) (A.5.1) 
(xvyjer /|4||V| 


The state [b2,) denotes the state of the quantum computer just after the jth 
query to the black box Oz, and U; denotes the unitary operation performed 
after the 7th query to Oz and before any other queries. 


Lemma A.5.1 Let b and b’ satisfy the following. 


e for every X € ¥ andi ce {1,2,..., N}, there are at most b different Y € Y 
such that (X,Y) € R and X; # Y;. 

e for every Y € Y andi € {1,2,..., N}, there are at most b’ different X € ¥ 
such that (X,Y) € R and X; 4 Y;. 


Then, for any each integer k € {0,1,..., T—1}, we have W**+! — WF < 2vV/bb’. 


Before we give the proof, let us note that for convenience we will assume that 
we are given the phase-shift version of the black-box for f, in particular, one 
that maps |x) + (—1)/ |x). This might appear to be a weaker black-box. For 
example, up to a global phase, the phase shift oracle for f(a) is the same as 
the phase shift oracle for the complement of f, f(x) = f(z). However by adding 
one additional input, z, to the domain of f and fixing f(z) = 0, we can easily 
show (see Exercise 8.1.1) that the two types of oracles are equivalent. (It also 
suffices to know the value of f on any of the existing inputs, or to be given a 
controlled-U ;.) 


Proof From the definition of W%, we know that 


1 
We OS pas So oR WY) — [RWS (A.5.2) 
(X,Y)ER 


and by the triangle inequality we have 


wrt! _ we 


1 
——— pktt pet} _ wk we . A5.3 
RD ooren! x ey) — (bxldy)| (A.5.3) 
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Define a;,j,x so that 
N 
Usk) = D> 04,5,x14) 1619.) 
for some normalized state |¢;,;x). Similarly, define a;,;,y so that 
N 
Udy) = do a45,v li) |bi,3,-¥) 


for some normalized state |¢;,;,y). 


It follows that 


wit?) = OxUn wk) = Urlb&) -2 S> ain,xlé)|bin,x) (A.5.4) 
uX,=l1 
and 
[petty = Oy U;. |v) = Uz |e) -—2 S- O4i,k,¥ |2)|Pi,k,¥) (A.5.5) 
uY;=1 


and therefore® 


(bit pk) — (yk lyk) = -2 a Oi k XV ky (PLXIPEY) (A.5.6) 


iX;=1 

x oe Qik, XO} ny (Or xIPi-y) (A.5.7) 
“Y;=1 

a oe in xO ny (OF xlPhy) (A5.8) 
iXi=Vi=l 

=-2 > aipxotpy(doxldty). (A5.9) 
uXAY; 
It follows that 
WEEMS Se » Ds [20i,4,xO;, nv (i,k, x1Gi,4,¥) | 


ad Tr (KX, Y)ERiUXiAY; 


|Os ke .x| |Qi,k,¥| 
< YY Ya le 
(K,Y)ERUX:AY; V [+ Vv |Y| 


5Note that (bk |pk.) = (Wk |ULU| be). 
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Note that for any non-negative real number r and real numbers a, b, it follows 
that® 2ab < 4a? + rb. Letting r = ,/* we get 


wet _ 3 3 B Naisexl? b lainy|? 
b AI by 


xy) JEREMY: 


lain.x|? b lain. |? 
a> ae a Ve DT 


(X,Y)ERUX AY; (X,Y)ER UX AY: 


We can reorder the summations to get 


k+1 k O |ai,6,x]? 
weeweey eS east 


i KEX YEV:(X,Y)ER,XiFY; 


“yy yet 
YY 


i KEX YEV:(X,Y)ER,XiFY: 


Using the hypotheses of the lemma we get 


-wWet< Sb yee ay ys 8 JainxT 
b |x| \Y| 


4 KEN a UWE. 
ote 
- Tat ieee oT Br Dy Liew 
vo'b 
eee 1 
mrt oT oe 
2Vob’. 


A.6_ Black-Boxes for Group Computations 


We mentioned in Sections 7.3 and 7.4 that the order-finding and discrete loga- 
rithm algorithms would also work with ‘black-box groups’ (with unique encod- 
ings). 

One natural quantum version of the black-box group model is to assume we have 
a black-box that implements the unitary map Uj, that implements the group 
multiplication |a)|c) + |a)|ca), where for any group element g, we let |g) denote 
the unique quantum encoding of the group element g. We assume we can also 
implement Uj;', which maps |a)|c) + |a)|ca~!). Thus Uj;'|a)|a) = |a)|1), which 


6Note that (4 — rb)? > 0. 
: i 
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means we have a means for computing the identity element, given two copies of a 
given group element. Further, Uj;'|a)|1) = |a)|a~!), so we can compute inverses 
if we have the identity element. 


If the unique encodings are unique strings of some fixed length n (which we will 
assume here), then the black-box Uj, is all we need to perform the standard 
black-box group operations (multiplication, inverse, and recognizing the iden- 
tity). Otherwise, we would need an explicit black-box for computing inverses 
and recognizing the identity. 


Another natural quantum version of the black-box group model is to assume 
we have a black-box that implements the unitary map U4, that implements 
the group multiplication |a)|c)|y) — |a)|c)|y ® ca) by XOR-ing the string rep- 
resenting the product ac into the 3" register. Such a black-box can be derived 
by standard methods (see Section 1.5 on reversible computing) from a clas- 
sical circuit that maps inputs a and c to the output ac, without any under- 
standing of the inner workings of the circuit. The previous black-box cannot in 
general be efficiently derived from a classical circuit for computing ac by such 
generic methods. So in some sense Uj, is a weaker black-box than Ujy. For 
example, given Uf, one cannot in general efficiently derive a circuit that mul- 
tiplies by a~+. This also means that it will in general be no harder (and some- 
times easier) to find situations where we can construct a black-box for Uj,, than 
for Um. 


In Sections 7.3 and 7.4, we discuss two such types of black-boxes that perform 
the group operations. Note that in the following black-boxes we ‘hard-wire’ the 
group element a into the definition of the black-boxes: 


e The first type of black-box for exponentiation was derived from a multiplica- 
tion black-box that maps |c) +> |ca), for any group element c, and assuming 
we are given the identity element. The analogous exponentiation circuit im- 
plements the map c-U® : |x)|c) + |x)|ca”). The algorithm in Section 7.3.3 
uses this exponentiation circuit as a black-box. 

e The second type of black-box for exponentiation can be derived from a 
multiplication black-box that maps |c)|y) = |c)|y ® ca), where c is any 
group element, and y is any bit-string of length n. The analogous expo- 
nentiation circuits implement the maps V, : |x)|y) ~— |x)|y @ a”) and 
Va.p : |2)|y)|z) — |x) |y)|z@a"b¥). We noted in Sections 7.3.4 and 7.4 that the 
states in Equation 7.3.15 (equivalently Equation 7.3.14) and Equation 7.4.4 
could alternatively have been created using V, and Vp, respectively. 


The black-boxes c-UZ and c-U;? together with the identity element are at least 
as strong as V, and V,.4, since we can implement V, using two queries of c-U?, 
and we can implement V,,) using two queries of c-U7 and two queries of c-U;’. 
However, c-U® and c-U;’ cannot in general be simulated by the black-boxes V, 
and Va,b- 
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Exercise A.6.1 


(a) Show how to simulate V, using two applications of c-U? and one copy of the identity 
element. 


(b) Show how to simulate Va,, using two applications of c-UZ and two applications of 
c-U; and one copy of the identity element. 


In Exercise 7.3.7, we see that order finding is a special case of the more general 
problem of finding the period of a periodic function. In the exercise, we intro- 
duced a black-box Uy that maps |x)|0) + |x)|f(x)). Note that any black-box 
that allows us to create the state > |x)|f(ax)) will work. 


In analogy with the two exponentiation black-boxes above, we could define two 
types of black-boxes for computing /f. 


e The black-box for f that is analogous with c-U® is one that maps 
|x) | f(y))  |x)|f(y + x)). Such a black-box for f is natural to implement 
when f(x) = a” mod N. However, for other periodic functions it might not 
be so straightforward. In such cases, it might still be useful to talk about 
such a black-box for the purposes of analysing the algorithm. 

e The black-box for f that is analogous with V, is one that maps |:)|y) te 
|x)|y @ f(x)). Such a black-box is easy to implement given a classical cir- 
cuit for computing f(x) (using standard techniques for making a circuit 
reversible; see Section 1.5). 


Just as the order-finding problem is a special case of the period-finding problem, 
we can treat the discrete logarithm algorithm as a special case of the following 
problem. 


Generalization of Discrete Logarithm Problem 


Input: A black-box Uy that computes a function f : Z, x Z, — X with the 
following property: 


f(x1, 91) = f(2,y2) & y1 — Yo = t(x1 — 2) mod r (A.6.1) 


for some fixed integer t. 
Problem: Find ft. 


Note that Equation A.6.1 is equivalent to 
f(x1,y1) = f(@2, y2) — (@1,y1) — (@2, y2) € (C1, -#)). 


We can assume the black-box Uy maps |)|y)|z) > |x)|y)|z ® f(x,y)), which 
would be easy to implement if f(x,y) = a*bY for elements a and b in some group 
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G with unique encodings and in which we can multiply efficiently. We would 
apply this black-box to the state }~ |x)|y)|0) to create the state > |x)|y)|f(z,y)), 
and then apply QFT>! ® QFT;"' (or approximations of them) to the control 
registers, followed by measurements of the control registers. The measured values 
will be of the form k and kt mod r for a random integer k. 


However, a black-box U} that maps |21, 91)|f(©2, y2)) Pla, wi) f(w2t+a1, yotyn)) 
would also work (if we are given | f(0,0)), and we apply the black box to the state 
> |x)ly)|f(0,0))). The black-box U} can be implemented efficiently in the case 
that f(z, y) = a*b¥ for elements a and b in some group G with unique encodings 
in which we can multiply efficiently. 


The generalized discrete logarithm algorithm described above will output a pair 
of integers (kt mod r,k mod r) for k € {0,1,..., 7 — 1} distributed uniformly 
at random. In order to find r, we can proceed with an analysis analogous to 
any of those detailed in Appendix A.2, which deals with the special case that 
f(x,y) = a*bY for elements a,b from some group. In order to see how to apply 
those techniques to the generalized discrete logarithm problem, note that running 
the discrete logarithm algorithm with new values a; = a° and b; = b° for some 
integer c corresponds to running the generalized discrete logarithm algorithm for 
the function f;(a,y) = f(ca, cy). Also note that running the discrete logarithm 
algorithm with new values b2 = ba~° and ag = a’ corresponds to running the 
generalized discrete logarithm algorithm for the function fo(x, y) = f(ra—cy, y). 


A.7 Computing Schmidt Decompositions 

We present a simple method for computing Schmidt decompositions, based on 
the observation at the end of Section 3.5.2 that the reduced density operators are 
diagonal in the Schmidt bases. The approach is to compute the partial trace for 
either one of the subsystems, and diagonalize it in order to find a Schmidt basis 


for that subsystem. We illustrate this process through an example. Consider the 
two-qubit state 


w= (4g) on + ie) wn + (4598) wor + (2) mn. carn 


Tracing the second qubit out of the density operator, we get the reduced density 
operator for the first qubit 


Tro|eh) (eb = 510)(O| + G10) (2 + Z{1) Ol + 511) (11. (A.7.2) 


In terms of the matrix representation, this looks like 


| 


NR Ale 


| (A.7.3) 


Ale Ie 


TEAM LinG 


254 APPENDIX A 


To diagonalize this matrix, we find the characteristic polynomial 


(Poo) 2520? =44- 2 (A.7.4) 


and see that its roots are ; and 3. These are the eigenvalues of the reduced den- 
sity matrix. The eigenvectors are computed as follows. The eigenvalue equation 
corresponding to the eigenvalue ; is 


i ) =1 ) , (A.7.5) 


Solving gives « = —y. We want the normalized eigenvector (since it is to represent 
a quantum state vector), so we solve x = —y together with x?+ y? = 1, obtaining 


the eigenvector 
ads 
& = ( v2 (A.7.6) 
Y1 Peo) 


Similarly, the normalized eigenvector corresponding to eigenvalue 3 is 


(*) = (2) (A.7.7) 


In terms of the Dirac notation, these are 


I-) = 4 ({0) - [1)) (A.7.8) 
and 
I+) = 45 ([0) + [1)). (A.7.9) 


Recall our earlier observation that density operators are normal operators. There- 
fore, the spectral theorem of Section 2.4 applies, and the eigenvectors form an 
orthonormal basis. We take the eigenvectors computed above to be the Schmidt 
basis vectors for the first subsystem. 


The state |) was originally given to us in the 2-qubit computational basis. To 
write |) in Schmidt form, we simply perform a change of basis on the first system 
from the computational basis to the Schmidt basis we just found. The Schmidt 
basis for the second system will become apparent once we have a Schmidt basis 
for the first system. The state written in Schmidt form is 


We) = B+) (S510) + 210) +31) (-V3l9+ RI). (A.7.10) 


Exercise A.7.1 Verify Equation (A.7.10). 
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Pin « ——J | Pout.) 
U 
10) s garbage 
ancilla |0) 
|0) < 
0) —— classical 
display 


Fig. A.8.1 A very general kind of quantum map that involves adding an ancilla sys- 
tem, unitarily evolving the joint system, extracting some classical information, keeping 
part of the joint system as a quantum output of the map, and discarding the rest of 
the system. Such a general quantum map can be derived by combining the operations 
described in Chapter 3. 


A.8 General Measurements 


In this section we describe more general notions of measurement that can be 
derived from the Measurement Postulate. We will explain the notions using cir- 
cuit diagrams, which are introduced in Chapter 4. We will also use the notions 
of mixed states, density matrices, and partial trace that are introduced in Sec- 
tion 3.5. 


In Section 3.5.3 we characterize the most general kind of quantum operation pos- 
sible that do not involve extracting information via a measurement.’ Of course, 
one could describe an even more general type of quantum map (depicted in 
Figure A.8.1) that does include measurements, which output non-trivial ‘classi- 
cal’ information and therefore involves some renormalization® of the remaining 
quantum state that depends on the classical measurement outcome. There is a 
variety of literature on these kinds of general quantum operations, which are 
often referred to as ‘quantum channels’ or ‘quantum instruments’, depending on 
the precise details of the operations. For this introductory textbook, we do not 
need to delve into the many possible ways of characterizing and categorizing such 
very general quantum operations. Instead we will focus on creating familiarity 
with more simple but universal? quantum operations. 


We give an example of a more general measurement operation. This kind of 
measurement can be referred to as a ‘pure’ measurement, since if a pure state is 


It is worth noting that sometimes we might refer to a measurement where one discards or 
ignores or is not told the (classical) measurement outcome. In such a case one usually describes 
the state of the quantum system as a weighted mixture of the possible post-measurement out- 
comes. This type of measurement does fall under this category of general quantum operations 
since we are not actually extracting information about the state of the system. 


8 Alternatively, some mathematical treatments of general quantum operations will leave the 
state unnormalized. 


®These simple operations are ‘universal’ in the sense that the more general quantum oper- 
ations can be constructed by composing the simple operations in a natural vind 


TEAM LinG 


256 APPENDIX A 


measured, the resulting state, after renormalization depending on the classical 
measurement outcome, is again a pure state. 


Suppose we want to measure some property of a quantum system of dimension 
N (e.g. a register of n-qubits with N = 2”). We can add an ancilla of arbitrary 
dimension, say L = 2', initialized to 


\0)' = |0)|0) ... |0), (A.8.1) 
l 


and apply any unitary U to the joint (NZ-dimensional) state |0)'|w) and then 
perform a Von Neumann measurement on the ancilla system obtain a label ‘2’ 


In order to derive the standard mathematical formulation of this kind of mea- 
surement, notice that the matrix U can be decomposed in block form as 


Mo Mor .-- Mo,r-1 


Mio Min ... Mip-1 
(A.8.2) 


Mry-1,0 Mrp-ij1 .-. My-1,L-1 


where each submatrix M;,; has dimension N x N. Recalling how to take tensor 
products for matrices from Section 2.6, we can write |0)'|w) as a column matrix 
in block form as 
[|)] 
lo”) 
. (A.8.3) 
[0] 
where [|~)] denotes the N-dimensional column vector representation of the state 
|) and [0%] is an N-dimensional column vector of all 0’s. 


Considering the action of U on the state |0)'|w) as a matrix multiplication of the 
matrix in Equation (A.8.2) by the vector in Equation (A.8.3), it can be seen that 
only the first column of matrix (A.8.2) is significant. The matrix multiplication 
gives 


U|0)' |p) = vy Mjo|v). (A.8.4) 


When we write |7) as above, the label 7 refers to the [-bit binary representation 
of the index j (so |j) is an I-qubit state). Renormalizing!® the M;o|w) terms'? 


Uo)|¥) = y vi Ilda (A8.5) 


l0By renormalizing a non-zero vector |?) which might not have norm 1, we mean multiplying 


1 
19) BY Teoias 
Tf any of the terms M;,9|~) have norm 0, then p(j) = 0, which means we never measure 
j. We can thus just exclude those j from the summation. ; 
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where 


Pj) = (v|M} 5 Mjolv). (A.8.6) 
Notice that the unitarity of U guarantees that 


yu eee (A.8.7) 


Now if we measure the first register, we get the result ‘j’ with probability p(y), 
and are left with the state 


M; 
li) ® Mjolv) (A.8.8) 
PS) 
We can discard the quantum state |j) of the system we measured, and be left 


with Mj,ol¥) ol) 


VPs) 


We could in general measure any subsystem of the joint system, and remove the 
restriction that the M; 9 are square. If we measure a subsystem of dimension Ab 
(we assume NL is divisible by D), then the Mj have dimension D x N, and 
the resulting quantum state will have dimension D (after we discard the register 
we measured). We can summarize this more general measurement procedure in 


the following way. 


General (Pure) Measurements 


Consider a set of operators {M;}, mapping a state space H of dimension N to 
a state space H’ of dimension D, that satisfy the completeness equation, 


> MIM; =I. (A.8.9) 


The indices ‘2’ label the possible measurement outcomes. For any such set of 
measurement operators {/;} it is possible to perform a quantum measurement 
that takes input state |w) and with probability 


p(t) = (b|M} Mil), (A.8.10) 


outputs outcome ‘2’ and leaves the system in state 


Mi|b) 
v(t) 
Note that the completeness equation (A.8.9) guarantees that the probabilities 


p(t) always sum to one. If p(z) = 0, we never get the outcome ‘i’ and we do not 
need to worry about renormalizing the state M;|1). 


(A.8.11) 


A projective measurement with respect to the decomposition J = $>, P; is a 
special case of a projective measurement where M; = P;,, and cas M, 1M, = P;. 
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As we mentioned at the beginning of this appendix, one could discard some or 
all of the remaining quantum state after a measurement. When we discard the 
entire remaining quantum state, this corresponds to a ‘POVM measurement’. 
Note that such a measurement would be characterized solely by the positive op- 
erators!? E; = M! Mj. Conversely, for any positive operators E; (not necessarily 
orthogonal projections) that sum to the identity, there exists operators M; sat- 
isfying E; = M! M;. Thus a POVM measurement with respect to the operators 
{E;} is realizable by a general pure measurement described above. 


A.9 Optimal Distinguishing of Two States 


In this Appendix, we detail an optimal procedure for solving the following state 
distinguishability problem. 


Distinguishing Two Pure Quantum States with Minimum Error 


Input: One of two known states |yx) or |w’y), with the property that 


lbxlby)| = 6. 
Output: A guess ‘X’ or SY’. 
Problem: Maximize the probability 1 — € that the guess is correct. 


A.9.1 A Simple Procedure 


We can first implement a unitary operation that maps |x) - |¢z) = cos(0)|0) + 
sin(@)|1) and |yy) + |dy) = sin(@)|0) + cos(@)|1), where @ is chosen so that 
0 <0 < % and sin(20) = 5 = (ed). 


Since cos(@) > 5, a natural procedure (illustrated in Figure A.9.1) is to measure 
the state in the computational basis, and output ‘X’ if the measured value is 
0 and output ‘SY’ if the measured value is 1. Such a procedure will output the 
correct answer, regardless of the input, with probability cos?(0). Setting 1 —« = 


cos?() gives us € = sin?(@). This relationship between ¢€ and 6 can be rewritten 


as € = 4 — \/1 — 6, which implies that 5 = 2,/e(1 — €). 
A.9.2. Optimality of This Simple Procedure 


We now show that we cannot do any better than the above simple procedure. In 
other words, the best estimation procedure can guess correctly in the worst case 
with probability no higher than the $ + $V/1— 62. 


Any measurement can be realized by adding an ancilla to the input state, per- 
forming a unitary operation U on the whole system, and measuring the first 
qubit of the whole system. If the output is 0 guess ‘X’ and if the output is 1 
guess SY’. 


12Since the operators sum to the identity, they correspond to a measure (called a ‘Positive 
Operator Valued Measure’) on the space of density matrices. A measurement corresponding to 
this measure is thus traditionally called a POVM measurement. 
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0) 
lee) 


Fig. A.9.1 This diagram illustrates a simple Von Neumann measurement for dis- 
tinguishing |¢z) and |p y). The probability of guessing correctly is cos?(@) where 
(¢x|¢y) = sin(20). No other procedure can achieve a higher correctness probability. 


Suppose 
U|tx)|00...0) = V1 — €,|0)|junk(x,0)) + ex|1) |junk(a, 1)) 
and 


U|py)|00...0) = V/ey|0)|junk(y, 0)) + 1 — €y|1)|junk(y, 1)). 


In other words, the algorithm correctly recognizes |Wx) with probability 1 — €, 
and correctly recognizes |Wy) with probability 1 — ¢,. The worst-case success 
probability is 1 — « where e = max(éz, €,). 


We also have the property that 


5 =|(exlby)| = |(vx|(00...0|UTU|yx)|00...0)| (A.9.1) 
= | (1 — €z)e, (junk(z, 0) |junk(y, 0)) + 4/(1 — ey )éx (junk(a, 1)|junk(y, 1))}. 
(A.9.2) 


This implies that 


§< yA —ealey ty 0—a)ee- 


We wish to find the smallest value of ¢ = max(€,,€,) allowed by the above 
inequality. It is easy to show that the optimum is achieved when € = €, = €y = 
11,9 — 33 

Theorem A.9.1 Any procedure that on input |wz) guesses whether Z = X or 
Z=/Y will guess correctly with probability at most 1—¢« = $ + $V 1 — 6?, where 
5 = |(wx|~y)|. This probability is achievable by an optimal measurement. 


TEAM LinG 


Bibliography 


| Note: ‘arXiv e-print’ refers to the electronic archive of papers, available at 
http://www.arxiv.org/. 


Aar] S. Aaronson. ‘Complexity Zoo’. http://qwiki.caltech.edu/wiki/ 
Complexity_Zoo 

Aar05| S. Aaronson. ‘Quantum Computing, Postselection, and Probabilistic 
Polynomial-Time’. Proceedings of the Royal Society of London A, 461:3473- 
3482, 2005. 

AAKV01] D. Aharonov, A. Ambainis, J. Kempe, and U. Vazirani. ‘Quantum 
Walks On Graphs’. Proceedings of ACM Symposium on Theory of Compu- 
tation (STOC’01), 50-59, 2001. 

ABNVW0O1] A. Ambainis, E. Bach, A. Nayak, A. Vishwanath, and J. Watrous. 
‘One-Dimensional Quantum Walks’. Proceedings of the 33rd ACM Sympo- 
sium on Theory of Computing, 37-49, 2001. 

ABO97| D. Aharonov, and M. Ben-Or. ‘Fault Tolerant Quantum Computation 
with Constant Error’. Proceedings of the 29th Annual ACM Symposium 
on the Theory of Computing (STOC’97), 1997. Also arXiv e-print quant- 
ph/9611025. 

[ADH97| L. Adleman, J, Demarrais, and M.D. Huang. ‘Quantum Computa- 
bility’. SIAM Journal on Computing, 26(5):1524-1540, 1997. 

[ADKLLR04] D. Aharonov, W. van Dam, J. Kempe, Z. Landau, S. Lloyd, and 
O. Regev. ‘Adiabatic Quantum Computation Is Equivalent to Standard 
Quantum Computation.’ Proceedings of the 45th Annual IEEE Symposium 
on Foundations of Computer Science (FOCS’04), 42-51, 2004. 

AHU74] Alfred V. Aho, John E. Hopcroft, and Jeffrey D. Ullman. ‘The Design 
and Analysis of Computer Algorithms’. (Addison-Wesley, Reading, MA, 
1974). 

AKN98] D. Aharonov, A. Kitaev, and N. Nisan. ‘Quantum Circuits with Mixed 
States’. Proceedings of the 31st Annual ACM Symposium on the Theory of 
Computation (STOC’98), 20-30, 1998. 

Amb02] A. Ambainis. ‘Quantum Lower Bounds by Quantum Arguments’. 
J. Comput. Syst. Sci. 64:750-767, 2002. 

Amb04] A. Ambainis. ‘Quantum Walk Algorithm for Element Distinctness’. 
Proceedings of the 45th Annual IEEE Symposium on Foundations of Com- 
puter Science (FOCS’04), 22-31, 2004. 


260 : 
TEAM LinG 


BIBLIOGRAPHY 261 


[ARO5] D. Aharonov and O. Regev. ‘Lattice Problems in NP Intersect coNP’. 
Journal of the ACM 52:749-765, 2005. 

[AVZ05] Dorit Aharonov, Vaughan Jones, and Zeph Landau. ‘A Polynomial 
Quantum Algorithm for Approximating the Jones Polynomial’. Proceed- 
ings of the thirty-eighth annual ACM symposium on Theory of computing 
(STOC’06), 427-436, 2006. 

[BBBV97] Charles H. Bennett, Ethan Bernstein, Gilles Brassard, and Umesh 
Vazirani. ‘Strengths and Weaknesses of Quantum Computing’. SIAM Jour- 
nal on Computing, 26:1510-1523, 1997. 

[BBC+95] Adriano Barenco, Charles H. Bennett, Richard Cleve, David 
P. DiVincenzo, Norman Margolus, Peter Shor, Tycho Sleator, John Smolin, 
and Harald Weinfurter. ‘Elementary Gates for Quantum Computation’. 
Physical Review A, 52(5):3457-3467, 1995. 

[BBC+98] Robert Beals, Harry Buhrman, Richard Cleve, Michele Mosca, and 
Ronald de Wolf. ‘Quantum Lower Bounds by Polynomials’. Journal of the 
ACM (2001), 48(4): 778-797. 

[BBCJPW93] Charles Bennett, Gilles Brassard, Claude Crepeau, Richard Josza, 
Asher Peres, and William Wootters. ‘Teleporting an Unknown Quantum 
State via Dual Classical and Einstein-Podolsky-Rosen Channels’. Physical 
Review Letters, 70:1895—1898, 1993. 

BBD+97] A. Barenco, A. Berthiaume, D. Deutsch, A. Ekert, R. Jozsa, and 
C. Macchiavello. ‘Stabilization of Quantum Computations by Symmetriza- 
tion’. SIAM Journal on Computing, 26(5):1541-1557, 1997. 

BBHT98] Michel Boyer, Gilles Brassard, Peter Hgyer, and Alain Tapp, ‘Tight 
Bounds on Quantum Searching’. Fortschritte der Physik 56(5-5):493-505, 
1988. 

BBPS95] Charles Bennett, Herbert Bernstein, Sandu Popescu, and Benjamin 
Schumacher. ‘Concentrating Partial Entanglement by Local Operations’. 
Phys. Rev. A, 53:2046, 1996. 

BCD05] D. Bacon, A. Childs, and W. van Dam. ‘From Optimal Measurement 
to Efficient Quantum Algorithms for the Hidden Subgroup Problem over 
Semidirect Product Groups’. Proc. 46th IEEE Symposium on Foundations 
of Computer Science (FOCS 2005), 469-478, 2005. 

BCW98] Harry Buhrman, Richard Cleve, and Avi Wigderson. ‘Quantum vs. 
Classical Communication and Computation’. Proceedings of the 30th An- 
nual ACM Symposium on Theory of Computing (STOC 1998), 63-68, 1998. 

BDEJ95] Adriano Barenco, David Deutsch, Artur Ekert, and Richard Jozsa. 
‘Conditional Quantum Dynamics and Quantum Gates’. Physical Review 
Letters, 74:4083—4086, 1995. 

BDHHMSW05] H. Buhrman, C. Durr, M. Heiligman, P. Hoyer, F. Magniez, 
M. Santha, and R. de Wolf. ‘Quantum Algorithms for Element Distinctness’. 
SIAM J. Comput., 34:1324—1330, 2005. 

Bea97| Robert Beals. ‘Quantum Computation of Fourier Transforms over Sym- 
metric Groups’. Proceedings of the 29th Annual ACM Symposium on The- 
ory of Computing (STOC’97), 48-53, 1997. 


TEAM LinG 


262 BIBLIOGRAPHY 


Ben73] Charles H. Bennett. ‘Logical Reversibility of Computation’. IBM Jour- 
nal of Research and Development, 17:525-532, November 1973. 

Ben89] Charles H. Bennett. ‘Time/Space Trade-offs for Reversible Computing’. 
SIAM Journal on Computing, 18(4):766—-776, 1989. 

Beth87a] Thomas Beth., ‘On the Computational Complexity of the General Dis- 
crete Fourier Transform’. Theoretical Computer Science, 51:331-339, 1987. 

Beth87b] Thomas Beth. ‘Generalized Fourier Transforms’. Trends in Computer 
Algebra, 92-118, 1987. 

BH97| Gilles Brassard and Peter Hoyer. ‘An Exact Quantum Polynomial-Time 
Algorithm for Simon’s Problem’. Proceedings of Fifth Israeli Symposium on 
Theory of Computing and Systems, IEEE Computer Society Press, 12-23, 
1997. 

[BHMT00] Gilles Brassard, Peter Hoyer, Michele Mosca, and Alain Tapp. ‘Quan- 
tum Amplitude Amplification and Estimation’. In $.J. Lomonaco, Jr., H.E. 
Randt, editors, Quantum Computation and Information, Contemporary 
Mathematics 305 (Providence, RI: AMS 2002), pp. 53-74. 

BHT97| G. Brassard, P. Hgyer, and Alain Tapp. ‘Cryptology Column— 
Quantum Algorithm for the Collision Problem’. ACM SIGACT News, 28: 
14-19, 1997. 

BHT98] Gilles Brassard, Peter Hgyer, and Alain Tapp. ‘Quantum Counting’. 
Proceedings of the ICALP’98 Lecture Notes in Computer Science, 1820-— 
1831, 1988. 

BL95] D. Boneh and R.J. Lipton. ‘Quantum Cryptanalysis of Hidden Lin- 
ear Functions’ (Extended Abstract). Lecture Notes in Computer Science, 
1443:820-831, Springer-Verlag, 1998. 

BMP+99] P. Boykin, T. Mor, M. Pulver, V. Roychowdhury, and F. Vatan. 
‘On Universal and fault-tolerant quantum computing: a novel basis and a 
new constructive proof of universality for Shor’s basis’. Proceedings of the 
40th Annual Symposium on Foundations of the Computer Science, 486-494, 
1999. 

Br03] Michael Brown. ‘Classical Cryptosystems in a Quantum Setting’. MMath 
Thesis. University of Waterloo, 2003. 

Buh96] H. Buhrman. ‘A Short Note on Shor’s Factoring Algorithm’. SIGACT 
News, 27(1):89-90, 1996. 

BV97| Ethan Bernstein and Umesh Vazirani. ‘Quantum Complexity Theory’. 
SIAM Journal on Computing, 26(5):1411-1473, October 1997. 

CDV96] Richard Cleve and David P. DiVincenzo. ‘Schumacher’s Quantum Data 
Compression As a Quantum Computation’. Physical Review A, 54(4):2636— 
2650, 1996. 

CEG95] Ran Canetti, Guy Even, and Oded Goldreich. ‘Lower Bounds for Sam- 
pling Algorithms for Estimating the Average’. Information Processing Let- 
ters, 53:17—25,1995. 

CEH-+99] Richard Cleve, Artur Ekert, Leah Henderson, Chiara Macchiavello, 
and Michele Mosca. ‘On Quantum Algorithms’. Complexity, 4:33-42, 
1999. 


TEAM LinG 


BIBLIOGRAPHY 263 


CEMM98] Richard Cleve, Artur Ekert, Chiara Macchiavello, and Michele 
Mosca. ‘Quantum Algorithms Revisited’. Proceedings of the Royal Society 
of London A, 454:339-354, 1998. 

Che02] Donny Cheung. ‘Using Generalized Quantum Fourier Transforms in 
Quantum Phase Estimation Algorithms’. MMath Thesis. University of 
Waterloo, 2002. 

Chu36] A. Church. ‘An unsolvable Problem of Elementary Number Theory’. 
Am. J. Math., 58:345, 1936. 

Cla] http://www.claymath.org/millennium/P_vs _ NP/ 

Cle00] Richard Cleve, “The Query Complexity of Order-Finding”. IEEE Con- 
ference of Computational Complexity, 54—, 2000. 

Cle99] Richard Cleve. ‘An Introduction to Quantum Complexity Theory’. In 
C. Macchiavello, G.M. Palma, and A. Zeilinger, editors, Collected Papers 
on Quantum Computation and Quantum Information Theory (World Sci- 
entific, 1999). 

CM01] K.K.H. Cheung and M. Mosca. ‘Decomposing Finite Abelian Groups’. 
Quantum Information and Computation, 1(3):2632, 2001. 

Coc73] C. Cocks. ‘A Note on Non-Secret Encryption’. 

Technical report, Communications-Electronics Security Group, U.K., 1973. 
Available at http://www.cesg.gov.uk/downlds/nsecret/notense. pdf 

Coh93] Henry Cohen. ‘A Course in Computational Algebraic Number Theory’ 
(Springer-Verlag, 1993). 

Coo71] S.A. Cook. ‘The Complexity of Theorem Proving Procedures’. Proceed- 
ings of the 38rd Annual ACM Symposium on the Theory of Computing 
(STOC’71), 151-158, 1971. 

Cop94] Don Coppersmith. ‘An Approximate Fourier Transform Useful in Quan- 
tum Factoring’. Research report, IBM, 1994. 

CRR054] Sourav Chakraborty, Jaikumar Radhakrishnan, and Nandakumar 
Raghunathan. ‘Bounds for Error Reduction with Few Quantum Queries’. 
APPROX-RANDOM 2005, 245-256, 2005. 

CS96] A.R.Calderbank and P.W. Shor. ‘Good Quantum Error-Correcting Codes 
Exist’. Physical Review A, 54:1098-1105, 1996. 

CTDL77| Claude Cohen-Tannoudji, Bernard Diu, and Franck Laloe. Quantum 
Mechanics, Volume 1 (John Wiley and Sons, 1977). 

Dav82] Martin Davis. Computability and Unsolvability (Dover Publications 
Inc., New York, 1982). 

Deu85] David Deutsch. ‘Quantum Theory, the Church-Turing Principle and the 
Universal Quantum Computer’. Proceedings of the Royal Society of London 
A, 400:97-117, 1985. 

Deu89] David Deutsch. ‘Quantum Computational Networks’. Proceedings of the 
Royal Society of London A, 425:73—90,1989. 

DH76a] W. Diffie and M.E. Hellman. ‘Multiuser Cryptographic Techniques’. 
Proceedings of AFIPS National Computer Conference, 109-112, 1976. 
DH76b] W. Diffie and M.E. Hellman. ‘New Directions in Cryptography’. IEEE 

Transactions on Information Theory, 22:644—654, 1976. 


TEAM LinG 


264 BIBLIOGRAPHY 


[DH00] W. van Dam and S. Hallgren. ‘Efficient Quantum Algorithms for Shifted 
Quadratic Character Problems’. Proceedings of the Fourteenth Annual 
ACM-SIAM Symposium on Discrete Algorithms, 489-498, 2003. 

[DHHM04] C. Durr, M. Heiligman, P. Hayer, and M. Mhalla. ‘Quantum Query 
Complexity of Some Graph Problems’. Proc. of 31st International Collo- 
quium on Automata, Languages, and Programming (ICALP’04), 481-493, 
2004. 

DHI03] W. van Dam, S. Hallgren, and L. Ip. ‘Quantum Algorithms for Some 
Hidden Shift Problems’. Proceedings of the ACM-SIAM Symposium on Dis- 
crete Algorithms (SODA’03), 489-498, 2003. 

Dir58] Paul A.M. Dirac. ‘The Principles of Quantum Mechanics (Clarendon 
Press, Oxford, 4th edition, 1958). 

DiV95] David DiVincenzo. ‘Two-Bit Gates Are Universal for Quantum Com- 
putation’. Physical Review A, 51(2):1015-1022,1995. 

DJ92] David Deutsch and Richard Josza. ‘Rapid Solution of Problems by Quan- 
tum Computation’. Proceedings of the Royal Society of London A, 439:553- 
558, 1992. 

DMV01] W. van Dam, M. Mosca, and U. Vazirani. ‘How Powerful Is Adiabatic 
Quantum Computation?’. Proc. 46th IEEE Symposium on Foundations of 
Computer Science (FOCS’01), 279-287, 2001. 

EH98] Mark Ettinger and Peter Hoyer. ‘On Quantum Algorithms for Noncom- 
mutative Hidden Subgroups’. arXiv e-print quant-ph/9807029, 1998. 

EHK04] M. Ettinger, P. Hgyer, and E. Knill. ‘The Quantum Query Complexity 
of the Hidden Subgroup Problem Is Polynomial’. Inf. Process. Lett., 91:43-— 
48, 2004. 

Ell70] J.H. Ellis. ‘The Possibility of Non-Secret Encryption’. Technical Report, 
Communications-Electronics Security Group, U.K., 1970. 

Available at http://www.cesg.gov.uk/downloads/nsecret /possnse.pdf 

Ell87| J.H. Ellis. ‘The Story of Non-Secret Encryption’. 

Technical report, Communications-Electronics Security Group, U.K., 1987. 
Avialable at http://www.cesg.gov.uk/downloads/nsecret /ellis.pdf 

EPR35] A. Einstein, B. Podolsky, and N. Rosen. ‘Can Quantum-Mechanical 
Description of Reality Be Considered Complete?’ Physical Review 47:777— 
780, 1935. 

Fey65| Richard P. Feynman. The Feynman Lectures on Physics, Volume III: 
Quantum Mechanics (Addison-Wesley, 1965). 

Fey82] Richard Feynman. ‘Simulating Physics with Computers’. International 
Journal of Theortical Physics, 21(6,7):467-488, 1982. 

FGGS98] E. Farhi, J. Goldstone, S. Gutmann, and M. Sipser. ‘A Limit on the 
Speed of Quantum Computation in Determining Parity’. Technical Report 
9802045, Los Alamos Archive, 1998. 

FGGS00] E. Farhi, J. Goldstone, S. Gutmann, and M. Sipser. ‘Quantum Com- 
putation by Adiabatic Evolution’. e-print arXiv: quant-ph/0001106, 2000. 

FIMSS03] K. Friedl, G. Ivanyos, F. Magniez, M. Santha, and P. Sen. ‘Hidden 
Translation and Orbit Coset in Quantum Computing’. Proceedings of the 


TEAM LinG 


BIBLIOGRAPHY 265 


Thirty-Fifth Annual ACM Symposium on Theory of Computing (STOC’03), 
1-9, 2003. 

GGJ76] Garey, Graham and Johnson. ‘Some NP-Complete Geometric Prob- 
lems’. Proceedings of the 8th Annual ACM Symposium on the Theory of 
Computing (STOC’76), 10-22, 1976. 

GJ79] Michael R. Garey and David S. Johnson. Computers and Intractibility 
A Guide to the Theory of NP-Completeness (W.H. Freeman and Company, 
New York, 1979). 

GJS76] M.R. Garey, D.S. Johnson, and L. Stockmeyer. ‘Some Simplified NP- 
Complete Graph Problems’. Theoretical Computer Science, 1:237—267, 1976. 

GN96] R.B. Griffiths and C.S. Niu. ‘Semi-Classical Fourier Transform for Quan- 
tum Computation’. Physical Review Letters, 3228-3231, 1996. 

Got98] Daniel Gottesman. ‘A Theory of Fault-Tolerant Quantum Computa- 
tion’. Physical Review A, 57:127—-137, 1998. 

Gri97| D.Y. Grigoriev. ‘Testing the Shift-Equivalence of Polynomials by 
Deterministic, Probablistic and Quantum Machines’. Theoretical Computer 
Science, 180:217—228, 1997. 

Gro96] Lov Grover. ‘A Fast Quantum Mechanical Algorithm for Database 
Search’. Proceedings of the 28th Annual ACM Symposium on the Theory 
of Computing (STOC 1996), 212-219. 

Gro98] Lov K. Grover. ‘Quantum Computers Can Search Rapidly by Using 
Almost Any Transformation’. Physical Review Letters, 80:4329-4332, 1998. 

Gro05] L. Grover. ‘Quantum Searching Amidst Uncertainty’. Unconventional 
Computation, 4th International Conference, Sevilla, Spain, 11-18, 2005. 

GSVV01] M. Grigni, L. Schulman, M. Vazirani, and U. Vazirani. ‘Quantum 
Mechanical Algorithms for the Nonabelian Hidden Subgroup Problem’. Pro- 
ceedings of the Thirty-Third Annual ACM Symposium on Theory of Com- 
puting (SODA’03), 68-74, 2001. 

(Hal05] S. Hallgren. ‘Fast Quantum Algorithms for Computing the Unit Group 
and Class Group of a Number Field’. Proceedings of the 37th ACM Sym- 
posium on Theory of Computing (STOC 2005), 468-474, 2005. 

[HMW03] P. Hoyer, M. Mosca, and R. de Wolf. ‘Quantum Search on Bounded- 
Error Inputs’. Proceedings of the Thirtieth International Colloquium on 
Automata, Languages and Programming (ICALP03), Eindhoven, 
The Netherlands, 291-299, 2003. 

Hoy97| Peter Hgyer. ‘Conjugated Operators in Quantum Algorithms’. Physical 
Review A, 59(5):3280-3289, 1999. 

HR90] Torben Hagerup and Christine Rub. ‘Guided Tour of Chernoff Bounds’. 
Information Processing Letters, 33(6):305-308, 1990. 

HRSO05] S. Hallgren, M. Roetteler, and P. Sen. ‘Limitations of Quantum Coset 
States for Graph Isomorphism’. arXiv e-print quant-ph/0511148, 2005. 
HW79] G.H. Hardy and E.M. Wright. An Introduction to the Theory of Num- 

bers (Oxford University Press, Oxford, 5th edition, 1979). 

IW97] R. Impagliazzo and A. Wigderson. ‘P=BPP if E Requires Exponential 

Circuits: Derandomizing the XOR Lemma’. Proceedings of the Twenty- 


TEAM LinG 


266 BIBLIOGRAPHY 


Ninth Annual ACM Symposium on Theory of Computing, 220-229, 
1997. 

JLO2] R. Jozsa and N. Linden. ‘On the Role of Entanglement in Quantum 
Computational Speed-ups’. arXiv e-print quant-ph/0201143, 2002. 

Jos99] Richard Jozsa. ‘Searching in Grover’s Algorithm’. arXiv e-print quant- 
ph/9901021. 

Kar72] R. Karp. ‘Reducibility Among Combinatorial Problems’. Complexity of 
Computer Computations, 85-103, 1972. 

Kit96] A. Kitaev. ‘Quantum Measurements and the Abelian Stabilizer Prob- 
lem’. Electronic Colloquium on Computational Complexity (ECCC), 3, 
1996. 

Kit97| A.Y. Kitaev. ‘Quantum Computations: Algorithms and Error Correc- 
tion’. Russ. Math. Surv., 52(6):1191-1249, 1998. 

KLZ97| Emanuel Knill, Raymond Laflamme, and Wojciech, Zurek. ‘Resilient 
Quantum Computation: Error Models and Thresholds’. Technical Report, 
1997. Also arXiv e-print quant-ph/9702058. 

KMO0O1] P. Kaye and M. Mosca. ‘Quantum Networks for Concentrating Entangle- 
ment’. Journal of Physics A: Mathematical and General, 34(35):6939-6948, 
2001. 

KM02] P. Kaye and M. Mosca. ‘Quantum Networks for Generating Arbitrary 
Quantum States’. Proceedings of the International Conference on Quan- 
tum Information, OSA CD-ROM (Optical Society of America, Washington, 
D.C., 2002), PB28. 

Knu98] Donald E. Knuth. Seminumerical Algorithms, Volume 2 (Addison- 
Wesley, 3rd edition, 1998). 

Kob94] Neil Koblitz. A Course in Number Theory and Cryptography (Springer- 
Verlag, New York, 2nd edition, 1994). 

KS05] J. Kempe and A. Shalev. ‘The Hidden Subgroup Problem and Permu- 
tation Group Theory’. Proceedings of the Sixteenth Annual ACM-SIAM 
Symposium on Discrete Algorithms (SODA’05), 1118-1125, 2005. 

Kup05] G. Kuperberg. ‘A Subexponential-Time Quantum Algorithm for the 
Dihedral Hidden Subgroup Problem’. SIAM Journal on Computing, 35: 170— 
188, 2005. 

KW03] I. Kerenidis and R. de Wolf. ‘Exponential Lower Bound for 2-Query 
Locally Decodable Codes via a Quantum Argument’. STOC ’03: Proceed- 
ings of the Thirty-Fifth Annual ACM Symposium on Theory of Computing 
(STOC 2003), 106-115, 2003. 

Lev73] L.A. Levin. ‘Universal Sorting Problems’. Problems of Information 
Transmission, 9:265-266, 1973. 

L1095] Seth Lloyd. ‘Almost Any Quantum Logic Gate Is Universal’. Physical 
Review Letters, 75:346—-349, 1995. 

Llo96] S. Lloyd. ‘Universal Quantum Simulators’. Science, 273:1073-1078, 
1996. 

LTV98] M. Li, J. Tromp, and P. Vitanyi. ‘Reversible Simulation of Irreversible 
Computation’. Physica D, 120:168-176, 1998. 


TEAM LinG 


BIBLIOGRAPHY 267 


ME99] Michele Mosca and Artur Ekert. ‘The Hidden Subgroup Problem and 
Eigenvalue Estimation on a Quantum Computer’. Lecture Notes in Com- 
puter Science, Volume 1509, 1999. 

Mil75] J.C.P. Miller. ‘On factorisation, with a suggested new approach’. Math- 

ematics of Computation, 29(129):155-172, 1975. 

Mos98] Michele Mosca. ‘Quantum Searching and Counting by Eigenvector 

Analysis’. Proceedings of Randomized Algorithms, Workshop of MFCS98, 

Brno, Czech Republic, 1998. 

Mos99] Michele Mosca. Quantum Computer Algorithms. D.Phil. Dissertation, 

Wolfson College, University of Oxford, 1999. 

Mos01] M. Mosca. ‘Counting by Quantum Eigenvalue Estimation’. Theoretical 

Computer Science, 264:139-153, 2001. 

MR95] Rajeev Motwani and Prabhakar Raghavan. Randomized Algorithms 

(Cambridge University Press, 1995). 

MRRS04] C. Moore, D. Rockmore, A. Russell and L. Schulman. ‘The Power of 
Basis Selection in Fourier Sampling: Hidden Subgroup Problems in Affine 
Groups’. Proceedings of the Fifteenth Annual ACM-SIAM Symposium on 
Discrete Algorithms (SODA’04), 1113-1122, 2004. 

MSS05] F. Magniez, M. Santha, and M. Szegedy. ‘Quantum Algorithms for 

the Triangle Problem’. Proceedings of the Sixteenth Annual ACM-SIAM 

Symposium on Discrete Algorithms (SODA’05), 1109-1117, 2005. 

MvOV97] Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone. 

Handbook of Applied Cryptography (CRC Press, London, 1997). 

MZ04] M. Mosca and C. Zalka. ‘Exact Quantum Fourier Transforms and Dis- 

crete Logarithm Algorithms’. International Journal of Quantum Informa- 

tion, 2(1):91-100, 2004. 

NCO00] Michael Nielson and Isaac Chuang. Quantum Computation and Quan- 

tum Information (Cambridge University Press, 2000). 

Neu56] John von Neumann. ‘Probabilistic Logics and Synthesis of Reliable Or- 

ganisms From Unreliable Components’. In C.E. Shannon and J. McCarthy, 

editors, Automata Studies (Princeton University Press, 1956). 

NS94] N. Nisan and M. Szegedy. ‘On the Degree of Boolean Functions As Real 

Polynomials’. Computational Complexity, 4(4):301-313, 1994. 

NW99] Ashwin Nayak and Felix Wu. ‘On the Quantum Black-Box Complexity 
of Approximating the Mean and Related Statistics’. Proceedings of the 21st 
Annual ACM Symposium on Theory of Computing (STOC’99), 1999. 

Pap94] C. Papadimitriou. Computational Complexity (Addison-Wesley, 1994). 

Pat92] R. Paturi. ‘On the Degree of Polynomials that Approximate Symmetric 
Boolean Functions’. Proceedings of the 24th Annual Symposium on Theory 
of Computing, 468-474, 1992. 

Pra75] Vaughan R. Pratt. ‘Every Prime Has a Succinct Certificate’. SIAM Jour- 
nal on Computing, 4(3):214—220, 1975. 

PRB99] Markus Piischel, Martin Rotteler, and Thomas Beth. ‘Fast Quantum 

Fourier Transforms for a Class of Non-Abelian Groups’. AAECC 1999, 148— 

159. 


TEAM LinG 


268 BIBLIOGRAPHY 


Pre] John Preskill. Lecture notes. Available at 
http://www.theory.caltech.edu/% 7Epreskill/ph219/index.html#¥ lecture 

Raz99] Ran Raz. ‘Exponential Separation of Quantum and Classical Commu- 
nication Complexity’. Proceedings of the 31st Annual ACM Symposium on 
the Theory of Computing (STOC 1999), 358-367. 

RB98] Martin R6tteler and Thomas Beth. ‘Polynomial-Time Solution to the 
Hidden Subgroup Problem for a Class of Non-Abelian Groups’. arXiv 
e-print quant-ph/9812070, 1998. 

Reg04] O. Regev. ‘Quantum Computation and Lattice Problems’. SIAM Jour- 
nal on Computing, 33:738—760, 2004. 

Rog87| Hartley Rogers. ‘Theory of Recursive Functions and Effective Com- 
putability’ (MIT Press, 1987). 

RRS05] J. Radhakrishnan, M. Rotteler, and P. Sen. ‘On the Power of Random 
Bases in Fourier Sampling: Hidden Subgroup Problem in the Heisenberg 
Group’. In Proceedings of the 32nd International Colloquium on Automata, 
Languages and Programming (ICALP), 1399-1411, 2005. 

RSA78] R.L. Rivest, A. Shamir, and L.M. Adleman. ‘A Method for Obtaining 
Digital Signatures and Public-Key Cryptosystems’. Communications of the 
ACM, 21:120-126, 1978. 

Sch95] Benjamin Schumacher. ‘Quantum Coding’. Phys. Rev. A 51, 2738-2747, 
1995. 

Sch98] R. Schack. ‘Using a Quantum Computer to Investigate Quantum Chaos’. 
Physical Review A, 57:1634—1635, 1998. 

Sho94] Peter Shor. ‘Algorithms for Quantum Computation: Discrete Logarithms 
and Factoring’. Proceedings of the 35th Annual Symposium on Foundations 
of Computer Science, 124-134, 1994. 

Sho95a] Peter Shor. ‘Scheme for Reducing Decoherence in Quantum Computer 
Memory’. Phys. Rev. A, 52:2493, 1995. 

Sho96] Peter Shor. ‘Fault-Tolerant Quantum Computation’. Proceedings of the 
37th Annual Symposium on Fundamentals of Computer Science, 56-65, 

(IEEE Press, Los Alimitos, CA, 1996). 

Sho97| P. Shor. ‘Polynomial-Time Algorithms for Prime Factorization and Dis- 
crete Logarithms on a Quantum Computer’. SIAM J. Computing, 26:1484— 
1509, 1997. 

Sim94] Daniel R. Simon. ‘On the Power of Quantum Computation’. In Shafi 
Goldwasser, editor, Proceedings of the 35th Annual Symposium on Foun- 
dations of Computer Science, pp. 116-123 (IEEE Computer Society Press, 
November 1994). 

(Sim97] D. Simon. ‘On the Power of Quantum Computation’. SIAM J. Comput- 
ing, 26:1474-1483, 1997. 

[Sip83] M. Sipser. ‘A Complexity Theoretic Approach to Randomness’. Proc. 
15th ACM Symp. on the Theory of Computing, 330-335, 1983. 

[Sip96] M. Sipser. ‘Introduction to the Theory of Computation’ (Brooks-Cole, 

1996). 


TEAM LinG 


BIBLIOGRAPHY 269 


SS71] A. Schénhage and V. Strassen. ‘Schnelle Multiplikation grosser Zahlen’. 
Computing, 7:281—292, 1971. 

Ste96] A.M. Steane. ‘Error Correcting Codes in Quantum Theory’. Physical 
Review Letters, 77:793—797, 1996. 

Ste97] A.M. Steane. ‘Active Stabilization, Quantum Computation, and Quan- 
tum State Synthesis’. Physical Review Letters, 78:2252—2255, 1997. 

TDV04] Barbara Terhal and David DiVincenzo. ‘Classical Simulation of 
Noninteracting-Fermion Quantum Circuits’. Physical Review A, 65:32325— 
32334, 2004. 

Ter99] Barbara Terhal. Quantum Algorithms and Quantum Entanglement. 
Ph.D. thesis, University of Amsterdam, 1999. 

Tur36] A.M. Turing. ‘On Computable Numbers, with an Application to 
Entscheid-ungsproblem’. Proc. London Math Society, 42:230-265, 1936. 
Also, 43:544-546, 1937. 

Val02| L.G. Valiant. ‘Quantum Circuits That Can Be Simulated Classically in 
Polynomial Time’. SIAM Journal on Computing, 31(4):1229-1254, 2002. 

Vaz98)] U. Vazirani. ‘On the Power of Quantum Computation’. Philosophical 
Transactions of the Royal Society of London, Series A, 356:1759-1768, 1998. 

Vid03] G. Vidal. ‘On the Role of Entanglement in Quantum Computational 
Speedup.’ Physical Review Letters, 91:147902, 2003. 

Wel88] Dominic Welsh. Codes and Cryptography (Oxford University Press, 
Oxford, 1998). 

‘Yao93] Andrew Chi-Chih Yao. ‘Quantum Circuit Complexity’. Proceedings of 
the 34th IEEE Symposium on Foundations of Computer Science, pp. 352— 
361. (Institute of Electrical and Electronic Engineers Computer Society 
Press, Los Alamitos, CA, 1993). 

[Zal98a] Christof Zalka. ‘Fast Versions of Shor’s Quantum Factoring Algorithm’. 
Technical report 9806084, Los Alamos Archive, 1998. 

[Zal98b] Ch. Zalka. ‘Efficient Simulation of Quantum Systems by Quantum Com- 

puters’. Proc. Roy. Soc. Lond. A, 454:313-322, 1998. 


TEAM LinG 


Index 


Note: The italic page numbers indicate where terms are defined. 


2-sided error quantum query complexity 
192 
3-COLOURABLE, see ‘problem— 
3-COLOURABLE’ 
3-CNF (3-conjunctive normal form) 184 
3-SAT (3-satisfiability), see ‘problem— 
3-SAT’ 
Aaronson 185 
Abelian stabilizer problem, see 
‘problem—Abelian stabilizer’ 
adiabatic algorithm, see 
‘algorithm—adiabatic’ 
adjoint 28 
adversary methods 180, 198, 248 
Alan Turing 3 
algorithm 1, 4 
adiabatic 178 
amplitude estimation 172 
continued fractions 123 
counting with accuracy « 173 
counting with error in O(Vt) 173 
Deutsch 94-8 
Deutsch—Jozsa 99-103 
discrete logarithm 144 
eigenvalue estimation 129 
estimating a random integer multiple of 
+ 139 
ka 
exact counting 173 
extended Euclidean 124 
finding the period of a periodic state 
122 
finite Abelian hidden subgroup problem 
149 
searching 152-6, 157, 158-63 
order-finding 137 
order-finding, Shor’s approach 139 
probabilistic 86, 241 
quantum 88 
searching without knowing success 
probabilities I 177 
searching without knowing success 
probabilities II 177 
Simon’s 103, 104, 105, 109 
zero-error 107 
amplitude 39, 50, 87, 88 


270 


amplitude amplification 163-9 

amplitude estimation 170-2 

amplitude estimation algorithm, see 
‘algorithm—amplitude estimation’ 

amplitude estimation problem, see 
‘problem—amplitude estimation’ 

ancilla 50, 75 

AND-OR tree 201 

anti-commute 229 

approximating unitary transformations 
71-3 


balanced function 95, 99 
basis 
Bell 75 
change of 30, 74-6 
computational 22, 39 
dual 27 
orthonormal 25 
vectors 22 
beam splitter 15, 18 
Bell basis, see ‘basis—Bell’ 
Bell measurement, see 
‘measurement—Bell’ 
Bell state 75, 78 
Bernoulli trials 242 
bit 
deterministic classical 39, 41, 43 
probabilistic classical 41, 42, 43 
quantum, see ‘qubit’ 
flip 205, 214 
black box 94, 138, 180, 185 
black-box model 185 
black-box group 250 
Bloch sphere 42, 43, 63, 65, 70 
block sensitivity 180, 197 
Bohr 19 
Boolean formula 184 
bounded-error probabilistic polynomial 
time, see ‘BPP’ 
bounded-error quantum polynomial time, 
see ‘BQP’ 
BPP 182, 183 
BQP 182, 183 
bra 21 


TEAM LinG 


Cauchy-Schwartz inequality 191 
change of basis 30 
channel 205 
communication 78, 79 
quantum 213 
character (of a group) 148 
Chebyshev’s inequality 242 
Chernoff bound (inequality) 103, 242, 246 
Church—Turing thesis 3 
circuit 
acyclic 6 
diagram 61 
model of computation 6, 61 
probabilistic 7 
quantum 20, 61 
reversible 6 
satisfiability 184 
uniform families of 6, 7, 77, 180 
Clay Mathematics Institute 185 
Clifford group 91 
coherent error 215 
coin-flipper 4, 5 
communication channel, see 
‘channel—communication’ 
communication protocol 78 
commute 229 
complete measurement, see 
‘measurement—complete’ 
completely positive map 60 
complex conjugate 23 
complexity 2, 7 
computational complexity theory 179 
of discrete logarithm problem 145 
of order finding 139 
composite system 45, 46, 47, 57 
Composition of Systems Postulate 46 
computational basis, see 
‘basis—computational’ 
computational complexity theory, see 
‘complexity—computational 
complexity theory’ 
computer 1 
condition for error correction 207, 208 
conditions for quantum error correction 
220 
conjugate commutativity 23 
constant function 94, 99 
continued fractions algorithm, see 
‘algorithm—continued fractions’ 
control bit 10 
controlled-NOT gate (CNOT), see 
‘gate—controlled-NOT 
controlled-Ugate (CNOT), see 
‘gate—controlled-U 
convergents 123 
correctable errors 206 
counting 170, 173, 174 


de Broglie 19 


INDEX 271 


decision problem 180 

density operator (density matrix) 27, 53, 
54-7 

depth 7 

discretization of errors 221 

deterministic 8 

deterministic query complexity 192 

Deutsch algorithm, see 
‘algorithm—Deutsch’ 

Deutsch problem, see ‘problem—Deutsch’ 

Deutsch—Jozsa algorithm, see 
‘algorithm—Deutsch—Jozsa’ 

Deutsch—Jozsa problem, see 
‘problem—Deutsch—Jozsa’ 

Dirac delta function 6;,; 32 

Dirac notation 21, 22, 24, 37 

discrete Fourier transform 116 

discrete logarithm algorithm, see 
‘algorithm—discrete logarithm’ 

discrete logarithm problem, see 
‘problem—discrete logarithm’ 

discrete random variable 241 

dot product 23 

dual vector space 24, 27 


efficiency 2, 4, 183 

eigenspace 51 

eigenstate, see ‘eigenvector’ 

eigenvalue 29, 30, 31, 51, 94 

eigenvalue estimation 125-30 

eigenvector 29, 30, 31, 92, 94, 98 

electromagnetism 19 

electron 40 

element distinctness problem, see 
‘problem—element distinctness’ 

elliptic curve 142, 145 

encoding 206, 216 

ensemble of pure states 53 

entanglement 46, 56, 82 

environment 213 

EPR-pair, see ‘Bell state’ 

error-correcting code 5 

error correction 5, 212-23 

error model 205, 213 

error probability parameter 219 

error syndrome 209 

estimating a random integer multiple of 
i, see ‘algorithm—estimating a 
random integer multiple of 2 

Euclidean norm 25 

Evolution Postulate 44, 45 

exact quantum query complexity 192 

excited state 40 

exclusive-OR operation 10 

exponential 2 

exponential function 32 

extended Euclidean algorithm, see 
‘algorithm—extended Euclidean’ 


TEAM LinG 


272 INDEX 


factoring 110, 130, 132, see also 
‘problem—integer factorization’ 

fault tolerance 5, 212, 226, 234-8 

fidelity 218 

finite Abelian hidden subgroup problem, 
see ‘algorithm—finite Abelian 
hidden subgroup problem’ 

Feynman 20 


gate 6,9 
l-qubit 44, 47, 63, 66 
3-bit 7 
AND 11 
controlled-NOT (CNOT) 10, 47, 66-7, 82, 
91-2, 212 
controlled-U 66, 67 
entangling 69 
Hadamard, see ‘Hadamard’ 
NOT 9, 44 
Pauli 44, 64 
phase 71 
rotation 63, 64, 70, 114 
square root of NOT 91 
Toffoli 7, 68, 210 
unitary 44, 61 
universal set 69, 70, 71 
X 44 
Y 44 
Z 44 
general measurement, see 
‘measurement—general’ 
general quantum operations 59-60 
general search iterate 164 
generalized Simon’s algorithm, see 
‘algorithm—generalized Simon’s’ 
generalized Simon’s problem, see 
‘problem—generalized Simon’s’ 
Gottesman—Knill theorem 91 
graph automorphism problem, see 
‘problem—graph automorphism’ 
greatest common divisor (GCD) 124 
ground state 40 
group representation theory 148 
Grover’s algorithm, see 
‘algorithm—search’ 
Grover iterate 156 


Hadamard 70, 71, 100, 111 

Hamiltonian 29, 45 

Heisenberg 19 

Hermitean 29, 45 

Hermitean conjugate 24, 28 

hidden linear functions, see 
‘problem—hidden linear functions’ 

hidden string 103, 107 

hidden subgroup 109 

hidden subgroup problem, see 
‘problem—hidden subgroup’ 

Hilbert space 21, 39, 50 


hybrid method 180, 188 


incoherent error 215 

information 19 

information processing 1 

inner product 21, 23, 24, 25, 27, 37 

integer factorization problem, see 
‘problem—integer factorization’ 

integers mod N 131 

interactive proofs 184 

interference 16, 19, 88, 89, 94, 96 

interval of convergence 32 

intractable 183 

inversion about the mean 158 

irreversible 12 


ket 21 

Kraus operators 59, 60, 215, 221, 222, 
229, 238 

Kronecker delta function, 6;,; 25 

Kronecker product (left) 34 


language 180 

language recognition problem 180 
linear operator 27 

log-RAM model 4, 180 

logarithmic 2 

lower bounds 179 

lower bounds for searching 188 
lowest common multiple (LCM) 124 


MA 184 
MAJORITY function 196, 200 
Markov’s inequality 107, 241 
matrix representation 8, 9, 24, 28, 34, 44, 
47, 71 
Maxwell 19 
measurement 19, 48, 49, 54 
Bell 75-6, 79, 82 
circuit diagram symbol 61 
complete 51, 77 
general 255 
implementing 73-7 
parity 51, 76, 130 
POVM 258 
projective 50, 76, 257 
pure 255 
von Neumann 50-2, 77 
Measurement Postulate 40, 41, 48, 49, 50 
Merlin—Arthur games, see ‘MA’ 
Millennium Problems 185 
mixed state 53, 56 
mixture 53 
modular arithmetic 131 


network 6 

Newton 19 

nine-qubit code, see ‘Shor code’ 
no-cloning theorem 82, 216 


TEAM LinG 


non-deterministic polynomial time, see 
‘NP’ 

normalization constraint 40 

NP 183 

NP-complete 184 


O-notation 2, 179 
observable 51, 52, 130 
Q-notation 179 
operator 9, 21 
1-qubit unitary 45 
function of 32, 33 
Krauss 60 
normal 30 
Pauli, see ‘gate—Pauli’ 
OR function 186, 195, 196, 197 
oracle, see ‘black box’ 
order finding algorithm, see 
‘algorithm—order finding’ 
order finding problem, see 
‘problem—order finding’ 
orthogonal 25 
orthogonal complement 104 
orthonormal 25 
outer product 27 


P 180 
P = NP question 185 
parallel(ism) 8, 94 
parity 76, 77, 209, 212 
PARITY function 196, 200 
parity measurement, see 
‘measurement—parity’ 
partial function 192 
partial trace 56 
period-finding algorithm, see 
‘algorithm—finding the period of a 
periodic state’ 
period-finding problem, see 
‘problem—period-finding’ 
periodic states 120, 122 
phase 40 
estimation 112-20 
estimation problem, see 
‘problem—phase estimation’ 
flip 225 
gate, see ‘gate—phase’ 
global 41 
kick-back 91-4 
parity 229 
relative 40 
photon 15, 38, 39 
Planck 19 
Poisson trials 242 
polynomial 2, 4, 72, 182 
polynomial method 180 
polynomial time, see ‘P’ 
positive operator valued measure 258 
POVM, see ‘measurement—POVM’ 


INDEX 273 


probabilistic algorithm, see 
‘algorithm—probabilistic’ 
probabilistic Turing machine 4, 7, 20 
probability amplitude, see ‘amplitude’ 
problem 
3-COLOURABLE 181, 183 
3-SAT 184, 190 
Abelian stabilizer 147 
amplitude estimation 170 
Deutsch 95, 146 
Deutsch—Jozsa 99, 192 
discrete logarithm 142, 243 
discrete logarithms in any group 146 
eigenvalue estimation 126 
element distinctness 178 
generalized Simon’s 108, 146 
graph automorphism 147 
graph isomorphism 184 
hidden linear functions 146 
hidden subgroup 146 
integer factorization 132, 184 
order-finding 130, 133, 146 
period-finding 146, 192 
phase estimation 112 
sampling estimates to an almost 
uniformly random integer multiple 
of 4 134 
search 153 
self-shift-equivalent polynomials 147 
Simon’s 104 
splitting an odd non-prime-power 
integer 132 
subset sum 184 
traveling salesman 184 
projective measurement, see 
‘measurement—projective’ 
projector 27, 29, 50, 51 
promise problem 192 
PSPACE 180, 184 
pure measurement, see 
‘measurement—pure’ 
pure state 53 


quantize 40 

quantum 
bit, see ‘qubit’ 
channel, see ‘channel—quantum’ 
computer 1, 20 
electrodynamics 38 
error correction, see ‘error correction’ 
field theory 38 
Fourier transform (QFT) 94, 110, 116, 

117 

information processing 1, 38 
instrument 255 
mechanics 19, 38 
physics 15, 19, 38 
strong Church—Turing thesis 6 
Turing machine 7 


TEAM LinG 


274 INDEX 


qubit 38, 39 
query complexity 186 


randomness 4 
random access machine (RAM) 4 
realistic model of computation 5 
recovery operation 206, 217—9 
reduced density operator 56 
repetition code 211 
resolution of the identity 28 
reversible 12, 13, 14 
rounding off 163 
RSA cryptosystem 130 


sampling estimates to an almost 
uniformly random integer multiple 
of i, see ‘problem—sampling 
estimates to an almost uniformly 
random integer multiple of a 
Schmidt 
basis 36, 59 
coefficients 35 
decomposition 35, 37, 58, 253 
Schrodinger 19 
Schrodinger equation 45 
search algorithm, see ‘algorithm—search’ 
search problem, see ‘problem—search’ 
searching without knowing the success 
probability 175-7 
self-shift-equivalent polynomials, see 
‘problem—self-shift-equivalent 
polynomials’ 
Shor, Peter 130 
Shor code 230 
Shor’s algorithm, see 
‘algorithm—order-finding, Shor’s 
approach’ 
Simon’s algorithm, see 
‘algorithm—Simon’s’ 
Simon’s problem, see ‘problem—Simon’s’ 
simulation 3, 4, 20, 91 
Solovay—Kitaev theorem 72, 73 
space 2, 7, 8 
spectral theorem 30, 31, 32 
spin 40 
splitting an odd non-prime-power integer, 
see ‘problem—splitting an odd 
non-prime-power integer’ 
stabilizer 229 
state 8, 39 
state distinguishability 187, 258 
State Space Postulate 39 
stochastic matrix 89 
strong Church—Turing thesis 2, 5, 20 
subset sum problem, see 
‘problem—subset sum’ 
subsystem 10, 46, 56 


superdense coding 78-80 
superoperator 57, 59, 61, 215 
superpolynomial 2 
superposition 16, 18 
symmetric function 192 


target bit 10 
Taylor series 32, 33 
teleportation 80-5 
tensor product 10, 33, 34, 46 
OQ-notation 179 
threshold 
condition 235, 236 
error probability 235 
theorem 237, 239 
THRESHOLD yy, function 196 
time 2, 7 
time evolution 43 
total function 192 
trace 29, 54 
tracing-out 57 
tractable 183 
traveling salesman problem, see 
‘problem—traveling salesman’ 
Turing machine 3 
two-level system 39, 40 


unary encoding 181 
uncompute 14 
uniform 7 
unitary operator 29, 44, 45, 48, see also 
‘gate—unitary’ 
universal 7, 69 
for 1-qubit gates 70 
for classical computation 7 
set of quantum gates, see 
‘gate—universal set’ 


vector 8, 18, 21 
column 22, 23 
dual 21, 23, 24 
norm of 25 
sparse 23 
state 39, 42, 53 
unit 25, 39, 40 
verifier 184 
von Neumann measurement, see 
‘measurement—von Neumann’ 


white box 186 
width 8 
wire 6 


XOR 102 


zero-error algorithm, see ‘algorithm—zero 
error’ 


TEAM LinG 


